diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
index 6237ddd84..011045fe0 100644
--- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Socat Reverse Shell Detection, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, FromBase64String Command Line, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, Lazarus Loaders, Socat Relaying Socket, QakBot Process Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, PowerShell Invoke Expression With Registry, FromBase64String Command Line, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, MavInject Process Injection, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Control Panel Items, Equation Group DLL_U Load, CertOC Loading Dll"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disabled IE Security Features, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, PowerShell Invoke Expression With Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Control Panel Items, Malspam Execution Registering Malicious DLL, Suspicious Desktopimgdownldr Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
index e08bf9e9d..a6838fbef 100644
--- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Aspnet Compiler, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1620", "score": 100, "comment": "Rules: Linux Fileless Execution"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File and Directory Permissions Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Linux Binary Masquerading, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Remote File Copy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH Tunnel Traffic, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, SSH X11 Forwarding, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Credentials Extraction, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Setuid Or Setgid Usage"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Many Downloads From Several Binaries, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool, Credentials Extraction"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, System Network Connections Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Python Offensive Tools and Packages, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Aspnet Compiler, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1620", "score": 100, "comment": "Rules: Linux Fileless Execution"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Remote File Copy, Netsh Port Forwarding"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, SSH Tunnel Traffic, SSH X11 Forwarding, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage, Credentials Extraction"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Many Downloads From Several Binaries"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, CMSTP Execution, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe, Credentials Extraction"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
index 17cad0c7d..a40291232 100644
--- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Socat Reverse Shell Detection, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, FromBase64String Command Line, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, Lazarus Loaders, Socat Relaying Socket, QakBot Process Creation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, DNS Exfiltration and Tunneling Tools Execution, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Python HTTP Server, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Citrix NetScaler (ADC) Actions Blocked"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, PowerShell Invoke Expression With Registry, FromBase64String Command Line, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, MavInject Process Injection, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Control Panel Items, Equation Group DLL_U Load, CertOC Loading Dll"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disabled IE Security Features, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Citrix NetScaler (ADC) Actions Blocked"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, PowerShell Invoke Expression With Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Control Panel Items, Malspam Execution Registering Malicious DLL, Suspicious Desktopimgdownldr Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
index 3a1d52cfd..1c68d5284 100644
--- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, WithSecure Elements Warning Severity, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, WithSecure Elements Critical Severity, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, Sysmon Windows File Block Executable, WithSecure Elements Critical Severity, WithSecure Elements Warning Severity, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Sysmon Windows File Block Executable, Explorer Process Executing HTA File"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, Login Brute-Force Successful On SentinelOne EDR Management Console, Exfiltration Via Pscp, WithSecure Elements Critical Severity, OneNote Suspicious Children Process, WithSecure Elements Warning Severity, Usage Of Sysinternals Tools"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, WithSecure Elements Critical Severity, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Python Offensive Tools and Packages, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, FromBase64String Command Line, MalwareBytes Uninstallation, Microsoft Defender Antivirus Threat Detected, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, WithSecure Elements Warning Severity, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Login Brute-Force Successful On SentinelOne EDR Management Console, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Compression Followed By Suppression, Microsoft Defender Antivirus History Deleted, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, WithSecure Elements Warning Severity, Sysmon Windows File Block Executable, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Download Files From Non-Legitimate TLDs, WithSecure Elements Critical Severity, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WithSecure Elements Warning Severity, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Microsoft Defender Antivirus Threat Detected, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, WithSecure Elements Critical Severity, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Exploiting SetupComplete.cmd CVE-2019-1378, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
index 97643f570..f88f62e6d 100644
--- a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Mimecast Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
index 5f39d2a3f..d0dbd0668 100644
--- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Workspace / ChromeOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace Password Change, Google Workspace MFA changed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Google Workspace Login Brute-Force"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Admin Modification, Google Workspace Domain Delegation"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Google Workspace External Sharing, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Account Warning, Google Workspace Admin Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace Admin Deletion, Google Workspace User Deletion, Google Workspace User Suspended"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Google Workspace Blocked Sender"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Workspace / ChromeOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Google Workspace Login Brute-Force"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Domain Delegation, Google Workspace Admin Modification"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Google Workspace External Sharing, Cryptomining"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Account Warning, Google Workspace Admin Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Suspended, Google Workspace Admin Deletion, Google Workspace User Deletion"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Google Workspace Blocked Sender"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
index 34949b341..52a8e953a 100644
--- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Defender XDR / Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, ZIP LNK Infection Chain, Winword Document Droppers, Microsoft Office Spawning Script, Microsoft Defender XDR Office 365 Alert, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Microsoft Defender XDR Cloud App Security Alert, HTA Infection Chains, Login Brute-Force Successful On SentinelOne EDR Management Console, Download Files From Suspicious TLDs, Microsoft Defender XDR Endpoint Alert, Explorer Process Executing HTA File, ISO LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Microsoft Defender XDR Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Correlation Supicious Powershell Drop and Exec, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Microsoft Defender XDR Office 365 Alert, Trickbot Malware Activity, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender XDR Cloud App Security Alert, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Login Brute-Force Successful On SentinelOne EDR Management Console, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender XDR Endpoint Alert, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, Microsoft Defender XDR Alert, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Windows Update LolBins, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Microsoft Defender XDR Office 365 Alert, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Microsoft Defender XDR Cloud App Security Alert, Winlogon wrong parent, SolarWinds Suspicious File Creation, Suspicious DNS Child Process, Login Brute-Force Successful On SentinelOne EDR Management Console, Smss Wrong Parent, Microsoft Defender XDR Endpoint Alert, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Microsoft Defender XDR Alert, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Mimikatz Basic Commands, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Process Memory Dump Using Createdump, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Suspicious desktop.ini Action, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, SELinux Disabling, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled Service, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, SELinux Disabling, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled Service, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable, Disabled Service"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, DNS Tunnel Technique From MuddyWater, Cryptomining, TrevorC2 HTTP Communication, Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Python HTTP Server, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Possible Malicious File Double Extension, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Correlation Supicious Powershell Drop and Exec, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disabling SmartScreen Via Registry, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Defender XDR / Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Microsoft Defender XDR Endpoint Alert, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Microsoft Defender XDR Cloud App Security Alert, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, HTA Infection Chains, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, Microsoft Defender XDR Alert, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender XDR Office 365 Alert, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, Mshta Suspicious Child Process, PowerShell EncodedCommand, Python Offensive Tools and Packages, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender XDR Endpoint Alert, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, Microsoft Defender XDR Cloud App Security Alert, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Microsoft Defender XDR Alert, Venom Multi-hop Proxy agent detection, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender XDR Office 365 Alert, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Microsoft Defender XDR Endpoint Alert, Csrss Wrong Parent, Searchindexer Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Microsoft Defender XDR Cloud App Security Alert, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Exfiltration Via Pscp, Taskhost Wrong Parent, PsExec Process, Microsoft Defender XDR Alert, Mshta Command From A Scheduled Task, Microsoft Defender XDR Office 365 Alert, Lsass Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disabled Service, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, SELinux Disabling, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disabled Service, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, RDP Configuration File From Mail Process"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, Suspicious New Printer Ports In Registry, Suspicious Desktopimgdownldr Execution, Ursnif Registry Key, FlowCloud Malware, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, LanManServer Registry Modify"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Impacket Wmiexec Module, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
index 6a001b474..8565362ff 100644
--- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
index fce882c5b..1d828ff25 100644
--- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Trend Micro Apex One Malware Alert, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, Trend Micro Apex One Data Loss Prevention Alert, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Cookies Deletion, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Correlation Potential DNS Tunnel, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, HTA Infection Chains, Trend Micro Apex One Malware Alert, Malspam Execution Registering Malicious DLL, Trend Micro Apex One Data Loss Prevention Alert, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Trend Micro Apex One Data Loss Prevention Alert, Exfiltration Via Pscp, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, Trend Micro Apex One Malware Alert"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, Trend Micro Apex One Malware Alert, PowerShell Commands Invocation, PowerShell EncodedCommand, Python Offensive Tools and Packages, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Trend Micro Apex One Data Loss Prevention Alert, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Cron Files Alteration, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Cookies Deletion, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, ISO LNK Infection Chain, Malspam Execution Registering Malicious DLL, HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Trend Micro Apex One Malware Alert, Download Files From Suspicious TLDs, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, Trend Micro Apex One Malware Alert, SolarWinds Suspicious File Creation, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
index 6c47567db..6b469945f 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
index 79bf44218..e7b4bcde9 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Sekoia.io EICAR Detection, Correlation Supicious Powershell Drop and Exec, SentinelOne EDR Threat Mitigation Report Kill Success, SquirrelWaffle Malspam Execution Loading DLL, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Agent Disabled, Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR Malicious Threat Not Mitigated, Login Failed Brute-Force On SentinelOne EDR Management Console, Suspicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, SentinelOne EDR Custom Rule Alert, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, FromBase64String Command Line, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), MalwareBytes Uninstallation, SentinelOne EDR Threat Mitigation Report Quarantine Success, PowerShell Invoke Expression With Registry, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR User Failed To Log In To The Management Console, Lazarus Loaders, Socat Relaying Socket, QakBot Process Creation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Mimikatz Basic Commands, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, FLTMC command usage, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Possible Malicious File Double Extension, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Malicious), Cobalt Strike Default Beacons Names, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Kill Success, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Agent Disabled, ZIP LNK Infection Chain, SentinelOne EDR Malicious Threat Not Mitigated, Login Failed Brute-Force On SentinelOne EDR Management Console, Malspam Execution Registering Malicious DLL, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Custom Rule Alert, HTA Infection Chains, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Login Brute-Force Successful On SentinelOne EDR Management Console, Download Files From Suspicious TLDs, SentinelOne EDR Threat Mitigation Report Quarantine Success, ISO LNK Infection Chain, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR User Failed To Log In To The Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Control Panel Items, Equation Group DLL_U Load, CertOC Loading Dll"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, PowerShell Invoke Expression With Registry, FromBase64String Command Line, Correlation Supicious Powershell Drop and Exec, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Usage Of Procdump With Common Arguments, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Agent Disabled, SentinelOne EDR Malicious Threat Not Mitigated, Login Failed Brute-Force On SentinelOne EDR Management Console, OneNote Suspicious Children Process, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Login Brute-Force Successful On SentinelOne EDR Management Console, SolarWinds Wrong Child Process, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR User Logged In To The Management Console, PsExec Process, SentinelOne EDR User Failed To Log In To The Management Console, Usage Of Sysinternals Tools"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Wrong Child Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, SentinelOne EDR Agent Disabled, WMIC Uninstall Product, Login Failed Brute-Force On SentinelOne EDR Management Console, PowerShell Commands Invocation, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, SentinelOne EDR SSO User Added, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Kill Success, Lazarus Loaders, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Mitigation Report Quarantine Success, Mustang Panda Dropper, Correlation Supicious Powershell Drop and Exec, SentinelOne EDR User Failed To Log In To The Management Console, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Suspicious File Name, Suspicious Cmd.exe Command Line, SentinelOne EDR Threat Detected (Malicious), Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Threat Detected (Suspicious), Login Brute-Force Successful On SentinelOne EDR Management Console, Venom Multi-hop Proxy agent detection, SentinelOne EDR Malicious Threat Not Mitigated, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Trace Alteration, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disabled IE Security Features, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, SentinelOne EDR Agent Disabled, Login Failed Brute-Force On SentinelOne EDR Management Console, Cobalt Strike Default Beacons Names, SentinelOne EDR SSO User Added, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR User Failed To Log In To The Management Console, Malspam Execution Registering Malicious DLL, HTA Infection Chains, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Detected (Malicious), MS Office Product Spawning Exe in User Dir, SentinelOne EDR Threat Detected (Suspicious), ZIP LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Malicious Threat Not Mitigated, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Control Panel Items, Malspam Execution Registering Malicious DLL, Suspicious Desktopimgdownldr Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, PowerShell Invoke Expression With Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Generic, Correlation Supicious Powershell Drop and Exec, PowerShell EncodedCommand"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Impacket Wmiexec Module, Wmic Service Call, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Agent Disabled, Usage Of Procdump With Common Arguments, Login Failed Brute-Force On SentinelOne EDR Management Console, OneNote Suspicious Children Process, SentinelOne EDR SSO User Added, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Detected (Suspicious), PsExec Process, SentinelOne EDR Malicious Threat Not Mitigated, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json
index 48d973828..75dfdfd59 100644
--- a/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x 1Password EPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: 1Password EPM Grant Access Vault"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: 1Password EPM Share Externally, Exfiltration Domain"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: 1Password EPM MFA Disable"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: 1Password EPM MFA Disable"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: 1Password EPM Brute Force"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x 1Password EPM", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: 1Password EPM Grant Access Vault"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: 1Password EPM Share Externally, Exfiltration Domain"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: 1Password EPM MFA Disable"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: 1Password EPM MFA Disable"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: 1Password EPM Brute Force"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
index b01f09473..534d3cb5b 100644
--- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare WAF Correlation Alerts, Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare WAF Correlation Alerts, Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, Potential LokiBot User-Agent, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare WAF Correlation Alerts, Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare WAF Correlation Alerts, Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
index b0ab8842f..b2b0fc81c 100644
--- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Screenconnect Remote Execution, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Windows Update LolBins, PsExec Process, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Exfiltration Via Pscp, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process, SolarWinds Wrong Child Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, System Network Connections Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, ISO LNK Infection Chain, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, HTA Infection Chains, Microsoft Office Spawning Script, Suspicious Outlook Child Process, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Impacket Wmiexec Module, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Windows Update LolBins, OneNote Suspicious Children Process, Suspicious DNS Child Process, PsExec Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Suspicious DNS Child Process, PsExec Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
index 5ece0ab30..b6b7efb16 100644
--- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Correlation Supicious Powershell Drop and Exec, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, SELinux Disabling, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, SELinux Disabling, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable, Disabled Service"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Cryptomining, Cobalt Strike DNS Beaconing, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Download Files From Non-Legitimate TLDs, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Correlation Supicious Powershell Drop and Exec, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disabling SmartScreen Via Registry, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, New Service Creation, Smss Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, OneNote Suspicious Children Process, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, New Service Creation, Smss Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, OneNote Suspicious Children Process, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Windows Update LolBins, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Correlation Supicious Powershell Drop and Exec, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, Windows Credential Editor Registry Key, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disabled Service, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, SELinux Disabling, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disabled Service, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Suspicious Windows DNS Queries"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, ISO LNK Infection Chain, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, HTA Infection Chains, Microsoft Office Spawning Script, Suspicious Outlook Child Process, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, Empire Monkey Activity, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, Suspicious New Printer Ports In Registry, Suspicious Desktopimgdownldr Execution, Ursnif Registry Key, FlowCloud Malware, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, LanManServer Registry Modify"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Smss Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Smss Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Svchost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Svchost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Winlogon wrong parent, Exfiltration Via Pscp, Taskhost Wrong Parent, PsExec Process, Lsass Wrong Parent"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Impacket Wmiexec Module, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
index 847d07214..10fd0eacb 100644
--- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
index 99b713b2c..913cbe0c3 100644
--- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Password Spray"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Password Spray"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA)"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Password Change Brute-Force On AzureAD, Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Anonymous IP, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Malicious IP"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Anonymous IP, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Malicious IP"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool, Password Change Brute-Force On AzureAD"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
index 8fdcfaec2..2eab81d31 100644
--- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, HTA Infection Chains, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
index dd88cf1c9..bb77d5750 100644
--- a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection High Severity, ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection High Severity, ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
index e7ae8bc0d..9ed578303 100644
--- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Socat Reverse Shell Detection, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, FromBase64String Command Line, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, Lazarus Loaders, Socat Relaying Socket, QakBot Process Creation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, PowerShell Invoke Expression With Registry, FromBase64String Command Line, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, MavInject Process Injection, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Control Panel Items, Equation Group DLL_U Load, CertOC Loading Dll"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disabled IE Security Features, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, PowerShell Invoke Expression With Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Control Panel Items, Malspam Execution Registering Malicious DLL, Suspicious Desktopimgdownldr Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
index 13aa1bcb6..20f93c9e6 100644
--- a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
index 65d34a033..d7bef0de9 100644
--- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, CrowdStrike Falcon Identity Protection Detection Informational Severity, Correlation Supicious Powershell Drop and Exec, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), CrowdStrike Falcon Identity Protection Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Microsoft Office Spawning Script, Suspicious PowerShell Keywords, CrowdStrike Falcon Identity Protection Detection Critical Severity, Trickbot Malware Activity, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, CrowdStrike Falcon Identity Protection Detection Low Severity, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, CrowdStrike Falcon Identity Protection Detection High Severity, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Suspicious File Name, CrowdStrike Falcon Intrusion Detection Low Severity, Invoke-TheHash Commandlets, CrowdStrike Falcon Intrusion Detection Medium Severity, MalwareBytes Uninstallation, CrowdStrike Falcon Intrusion Detection Critical Severity, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, Mshta Suspicious Child Process, CrowdStrike Falcon Intrusion Detection, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, CrowdStrike Falcon Intrusion Detection High Severity, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, CrowdStrike Falcon Mobile Detection Low Severity, CrowdStrike Falcon Mobile Detection High Severity, Cryptomining, CrowdStrike Falcon Mobile Detection Medium Severity, CrowdStrike Falcon Mobile Detection Critical Severity, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection Informational Severity, Dynamic DNS Contacted, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, CrowdStrike Falcon Identity Protection Detection Informational Severity, SquirrelWaffle Malspam Execution Loading DLL, ZIP LNK Infection Chain, CrowdStrike Falcon Identity Protection Detection Medium Severity, Winword Document Droppers, CrowdStrike Falcon Intrusion Detection Informational Severity, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Identity Protection Detection Low Severity, HTA Infection Chains, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Explorer Process Executing HTA File, ISO LNK Infection Chain, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection High Severity, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Identity Protection Detection Critical Severity, Suspicious Outlook Child Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Windows Update LolBins, Searchprotocolhost Wrong Parent, CrowdStrike Falcon Identity Protection Detection Informational Severity, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, CrowdStrike Falcon Identity Protection Detection Medium Severity, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, CrowdStrike Falcon Identity Protection Detection Low Severity, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, CrowdStrike Falcon Identity Protection Detection High Severity, Winlogon wrong parent, SolarWinds Suspicious File Creation, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, CrowdStrike Falcon Intrusion Detection Low Severity, SolarWinds Wrong Child Process, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, Rare Lsass Child Found, PsExec Process, CrowdStrike Falcon Intrusion Detection, Dllhost Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Correlation Supicious Powershell Drop and Exec, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, CrowdStrike Falcon Intrusion Detection Low Severity, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, WMIC Uninstall Product, CrowdStrike Falcon Identity Protection Detection Critical Severity, PowerShell Commands Invocation, Mshta Suspicious Child Process, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, CrowdStrike Falcon Intrusion Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Identity Protection Detection High Severity, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Intrusion Detection Critical Severity, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, CrowdStrike Falcon Identity Protection Detection Informational Severity, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, CrowdStrike Falcon Intrusion Detection Medium Severity, Venom Multi-hop Proxy agent detection, CrowdStrike Falcon Identity Protection Detection Low Severity, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, CrowdStrike Falcon Mobile Detection Critical Severity, CrowdStrike Falcon Mobile Detection Low Severity, SEKOIA.IO Intelligence Feed, CrowdStrike Falcon Mobile Detection High Severity, DNS Tunnel Technique From MuddyWater, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, CrowdStrike Falcon Mobile Detection Informational Severity, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection Medium Severity"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Low Severity, ISO LNK Infection Chain, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, CrowdStrike Falcon Intrusion Detection Critical Severity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, HTA Infection Chains, Microsoft Office Spawning Script, Suspicious Outlook Child Process, CrowdStrike Falcon Identity Protection Detection Informational Severity, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, CrowdStrike Falcon Intrusion Detection Low Severity, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, CrowdStrike Falcon Identity Protection Detection Critical Severity, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, CrowdStrike Falcon Intrusion Detection, Searchindexer Wrong Parent, CrowdStrike Falcon Identity Protection Detection High Severity, Windows Update LolBins, CrowdStrike Falcon Intrusion Detection Informational Severity, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, CrowdStrike Falcon Intrusion Detection Critical Severity, Winrshost Wrong Parent, Spoolsv Wrong Parent, CrowdStrike Falcon Identity Protection Detection Low Severity, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, CrowdStrike Falcon Identity Protection Detection Informational Severity, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Exfiltration Via Pscp, Taskhost Wrong Parent, PsExec Process, CrowdStrike Falcon Intrusion Detection Medium Severity, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Impacket Wmiexec Module, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2345b987-a94a-4363-b7bc-a6e4a9efd98a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2345b987-a94a-4363-b7bc-a6e4a9efd98a_do_not_edit_manually.json
index 9db090323..5c317118f 100644
--- a/_shared_content/operations_center/detection/generated/attack_2345b987-a94a-4363-b7bc-a6e4a9efd98a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2345b987-a94a-4363-b7bc-a6e4a9efd98a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Vision One OAT [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Malicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, PowerShell Credential Prompt, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, TrustedInstaller Impersonation, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, TrustedInstaller Impersonation, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Possible Malicious File Double Extension, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Microsoft Windows Active Directory Module Commandlets, Adidnsdump Enumeration, Remote System Discovery Via Telnet, System Network Connections Discovery"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Vision One OAT [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, PowerShell Credential Prompt, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Malicious PowerShell Commandlets, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, TrustedInstaller Impersonation, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, TrustedInstaller Impersonation, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, FromBase64String Command Line, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, CMSTP Execution, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, RDP Port Change Using Powershell, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Exploiting SetupComplete.cmd CVE-2019-1378, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
index e2e90c6b4..2ac93d720 100644
--- a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Daspren Parad Malicious Behavior"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, HTA Infection Chains"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Daspren Parad", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Daspren Parad Malicious Behavior"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, HTA Infection Chains, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AutoIt3 Execution From Suspicious Folder, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
index 67aa0ef05..001d69c3d 100644
--- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cobalt Strike HTTP Default POST Beaconing, Cryptomining, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
index 3674163e5..f212d7a59 100644
--- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Sekoia.io EICAR Detection, Correlation Supicious Powershell Drop and Exec, SquirrelWaffle Malspam Execution Loading DLL, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Turla Named Pipes, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Malicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Trickbot Malware Activity, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious DLL Loaded Via Office Applications, Aspnet Compiler, Suspicious Windows Script Execution, PowerShell Malicious PowerShell Commandlets, Alternate PowerShell Hosts Pipe, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, Detection of default Mimikatz banner, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, In-memory PowerShell, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Suspicious File Name, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Mshta Suspicious Child Process, Suspicious Scripting In A WMI Consumer, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Lazarus Loaders, PowerShell Download From URL, Suspicious Outlook Child Process, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Svchost Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Suspicious desktop.ini Action, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Remote File Copy"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH Tunnel Traffic, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SSH X11 Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, Cryptomining, Many Downloads From Several Binaries, Suspicious LDAP-Attributes Used, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Cryptomining, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, GitLab CVE-2021-22205"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Dynwrapx Module Loading, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, Webshell Creation, Microsoft IIS Module Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Active Directory User Backdoors, Mimikatz Basic Commands, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Replication User Backdoor, Enabling Restricted Admin Mode"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, ZIP LNK Infection Chain, Winword Document Droppers, Microsoft Office Spawning Script, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Medium Threat, HTA Infection Chains, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, Explorer Process Executing HTA File, ISO LNK Infection Chain, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Threat, HarfangLab EDR Critical Threat, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, APT29 Fake Google Update Service Install, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Chafer (APT 39) Activity, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, APT29 Fake Google Update Service Install, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Chafer (APT 39) Activity, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Suspicious PsExec Execution, Svchost Wrong Parent, Spoolsv Wrong Parent, Correlation Impacket Smbexec, Winlogon wrong parent, Suspicious DNS Child Process, Windows Suspicious Service Creation, Smss Wrong Parent, Credential Dumping Tools Service Execution, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Metasploit PSExec Service Creation, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Smbexec.py Service Installation, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Windows Update LolBins, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Microsoft Defender Antivirus Threat Detected, Taskhostw Wrong Parent, Exfiltration Via Pscp, OneNote Suspicious Children Process, Suspicious PsExec Execution, Svchost Wrong Parent, Spoolsv Wrong Parent, Correlation Impacket Smbexec, Winlogon wrong parent, SolarWinds Suspicious File Creation, Suspicious DNS Child Process, Windows Suspicious Service Creation, Smss Wrong Parent, Credential Dumping Tools Service Execution, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Metasploit PSExec Service Creation, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Smbexec.py Service Installation, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Check Point Harmony Mobile Application Forbidden"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Correlation Supicious Powershell Drop and Exec, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Turla Named Pipes, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Alternate PowerShell Hosts Pipe, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, Detection of default Mimikatz banner, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, In-memory PowerShell, Powershell Web Request, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Python Opening Ports, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Python Opening Ports, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Suspect Svchost Memory Access, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, NetNTLM Downgrade Attack, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Disable Security Events Logging Adding Reg Key MiniNt, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Exclusion Configuration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, LSASS Memory Dump File Creation, Suspicious CommandLine Lsassy Pattern, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Credential Dumping-Tools Common Named Pipes, Password Dumper Activity On LSASS, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Lsass Access Through WinRM, Mimikatz LSASS Memory Access, Credential Dumping By LaZagne, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, LSASS Access From Non System Account, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Unsigned Image Loaded Into LSASS Process, Cmdkey Cached Credentials Recon, SAM Registry Hive Handle Request, Mimikatz Basic Commands, Malicious Service Installations, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, LSASS Memory Dump File Creation, Suspicious SAM Dump, Impacket Secretsdump.py Tool, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dumping By LaZagne, RedMimicry Winnti Playbook Dropped File, HackTools Suspicious Names, Transfering Files With Credential Data Via Network Shares, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, NetNTLM Downgrade Attack, Lsass Access Through WinRM, Active Directory Database Dump Via Ntdsutil, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Active Directory Replication from Non Machine Account, DCSync Attack, Credential Dumping-Tools Common Named Pipes, Password Dumper Activity On LSASS, DPAPI Domain Backup Key Extraction, WCE wceaux.dll Creation, Mimikatz LSASS Memory Access, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential, LSASS Access From Non System Account, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Spawning Script, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, Explorer Process Executing HTA File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Threat, HarfangLab EDR Critical Threat, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Outlook Registry Access, Credentials Extraction, Opening Of a Password File, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credentials Extraction"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, RDP Sensitive Settings Changed, Windows Defender Logging Modification Via Registry, Ursnif Registry Key, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, Remote Registry Management Using Reg Utility, Disabling SmartScreen Via Registry, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, DHCP Callout DLL Installation, Disable Security Events Logging Adding Reg Key MiniNt, Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, RDP Port Change Using Powershell, LanManServer Registry Modify"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Process Herpaderping, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Cobalt Strike Named Pipes, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Malicious Named Pipe, Dynwrapx Module Loading, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent, Process Hollowing Detection"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, Correlation Impacket Smbexec, Cobalt Strike Default Service Creation Usage, Lateral Movement Remote Named Pipe, RDP Login From Localhost, Lsass Access Through WinRM, Smbexec.py Service Installation, Protected Storage Service Access, Denied Access To Remote Desktop, Admin Share Access, RDP Port Change Using Powershell, Remote Service Activity Via SVCCTL Named Pipe, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, User Added to Local Administrators, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, DCSync Attack, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser, DHCP Server Loaded the CallOut DLL, Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack, DNS ServerLevelPluginDll Installation, Elevated Msiexec Via Repair Functionality, Werfault DLL Injection, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Privileged AD Builtin Group Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Dropped File, Suspicious SAM Dump, Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Cookies Deletion, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Secure Deletion With SDelete, Eventlog Cleared, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 2, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, Reconnaissance Commands Activities, PowerView commandlets 2, AD User Enumeration, Discovery Commands Correlation, Remote Enumeration Of Lateral Movement Groups, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1, Netscan Share Access Artefact"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Network Connection Via Certutil, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost, Denied Access To Remote Desktop"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Suspicious Outbound Kerberos Connection, Rubeus Tool Command-line, Kerberos Pre-Auth Disabled in UAC, Rubeus Register New Logon Process, Suspicious Kerberos Ticket, Suspicious TGS requests (Kerberoasting), User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, WMI Event Subscription, Suspicious Scripting In A WMI Consumer, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event, CVE-2019-0708 Scan"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, Secure Deletion With SDelete, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Unsigned Driver Loaded From Suspicious Location, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Legitimate Process Execution From Unusual Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Execution From Suspicious Folder"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Dynwrapx Module Loading"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Audit CVE Event, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Suspicious New Printer Ports In Registry, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified, Computer Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Correlation Impacket Smbexec, Cobalt Strike Default Service Creation Usage, Lateral Movement Remote Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Certificate Request-adcs Abuse, Suspicious Kerberos Ticket"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, WMI DLL Loaded Via Office, Suspicious Scripting In A WMI Consumer, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, PowerShell Credential Prompt, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, Microsoft Defender Antivirus Threat Detected, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Turla Named Pipes, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Detection of default Mimikatz banner, Correlation Supicious Powershell Drop and Exec, Mustang Panda Dropper, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications, QakBot Process Creation, Microsoft Office Spawning Script, Powershell Web Request, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, In-memory PowerShell, Alternate PowerShell Hosts Pipe, XSL Script Processing And SquiblyTwo Attack, Suspicious File Name, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Aspnet Compiler, PowerShell Malicious PowerShell Commandlets, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Registry Key Used By Some Old Agent Tesla Samples, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Remote File Copy, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH Tunnel Traffic, SSH X11 Forwarding, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious LDAP-Attributes Used, DNS Tunnel Technique From MuddyWater, Cryptomining, Dynamic DNS Contacted, Chafer (APT 39) Activity, Sliver DNS Beaconing, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Many Downloads From Several Binaries"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Chafer (APT 39) Activity, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Cisco Umbrella Threat Detected, Suspicious Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, GitLab CVE-2021-22205, Suspicious DNS Child Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, TUN/TAP Driver Installation, Exfiltration Domain In Command Line, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, Dynwrapx Module Loading, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Active Directory User Backdoors, Active Directory Replication User Backdoor, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Mimikatz Basic Commands, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, ISO LNK Infection Chain, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, Microsoft Defender Antivirus Threat Detected, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR High Threat, Explorer Process Executing HTA File, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications, HTA Infection Chains, Microsoft Office Spawning Script, Suspicious Outlook Child Process, HarfangLab EDR Medium Threat, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Chafer (APT 39) Activity, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, WMI Persistence Command Line Event Consumer, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Cobalt Strike Default Service Creation Usage, APT29 Fake Google Update Service Install, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, StoneDrill Service Install, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Chafer (APT 39) Activity, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, WMI Persistence Command Line Event Consumer, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Cobalt Strike Default Service Creation Usage, APT29 Fake Google Update Service Install, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, StoneDrill Service Install, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Windows Suspicious Service Creation, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Smbexec.py Service Installation, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Suspicious PsExec Execution, Csrss Wrong Parent, Searchindexer Wrong Parent, WMI Persistence Command Line Event Consumer, Metasploit PSExec Service Creation, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Credential Dumping Tools Service Execution, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Malicious Service Installations, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Correlation Impacket Smbexec, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Windows Suspicious Service Creation, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Smbexec.py Service Installation, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Suspicious PsExec Execution, Csrss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Windows Update LolBins, WMI Persistence Command Line Event Consumer, Metasploit PSExec Service Creation, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Credential Dumping Tools Service Execution, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Malicious Service Installations, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Correlation Impacket Smbexec, Wsmprovhost Wrong Parent, Check Point Harmony Mobile Application Forbidden, Winlogon wrong parent, Exfiltration Via Pscp, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Detection of default Mimikatz banner, Correlation Supicious Powershell Drop and Exec, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Turla Named Pipes, Powershell Web Request, In-memory PowerShell, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Python Opening Ports, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Malware Protection Engine Crash, TrustedInstaller Impersonation, Microsoft Defender Antivirus Configuration Changed, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Disable Security Events Logging Adding Reg Key MiniNt, Powershell AMSI Bypass, Python Opening Ports, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, AMSI Deactivation Using Registry Key, Suspect Svchost Memory Access, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Malware Protection Engine Crash, TrustedInstaller Impersonation, Microsoft Defender Antivirus Configuration Changed, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Mimikatz LSASS Memory Access, Dumpert LSASS Process Dumper, Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dump Tools Related Files, LSASS Access From Non System Account, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, Suspicious CommandLine Lsassy Pattern, Credential Dumping By LaZagne, Password Dumper Activity On LSASS, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Lsass Access Through WinRM, LSASS Memory Dump File Creation, Unsigned Image Loaded Into LSASS Process, Credential Dumping-Tools Common Named Pipes, Process Memory Dump Using Createdump"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Password Dumper Activity On LSASS, RedMimicry Winnti Playbook Dropped File, WCE wceaux.dll Creation, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Credential Dumping-Tools Common Named Pipes, NTDS.dit File Interaction Through Command Line, DPAPI Domain Backup Key Extraction, Credential Dump Tools Related Files, Dumpert LSASS Process Dumper, Credential Dumping By LaZagne, Lsass Access Through WinRM, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Createdump, Mimikatz LSASS Memory Access, DCSync Attack, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, HackTools Suspicious Names, SAM Registry Hive Handle Request, Transfering Files With Credential Data Via Network Shares, Copying Browser Files With Credentials, Suspicious SAM Dump, Malicious Service Installations, LSASS Memory Dump File Creation, Active Directory Replication from Non Machine Account, Unsigned Image Loaded Into LSASS Process, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Impacket Secretsdump.py Tool, LSASS Access From Non System Account, Suspicious CommandLine Lsassy Pattern, Active Directory Database Dump Via Ntdsutil, Mimikatz Basic Commands"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR High Threat, Explorer Process Executing HTA File, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, HarfangLab EDR Medium Threat, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications, QakBot Process Creation, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Remote Registry Management Using Reg Utility, Opening Of a Password File, Adexplorer Usage, Credentials Extraction"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, RDP Port Change Using Powershell, FlowCloud Malware, Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, Suspicious New Printer Ports In Registry, Disable Workstation Lock, Suspicious Desktopimgdownldr Execution, Disable Security Events Logging Adding Reg Key MiniNt, Blue Mockingbird Malware, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, LanManServer Registry Modify, Ursnif Registry Key, Remote Registry Management Using Reg Utility, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Dynwrapx Module Loading, MavInject Process Injection, Wsmprovhost Wrong Parent, Malicious Named Pipe, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Process Herpaderping, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Cobalt Strike Named Pipes, Process Hollowing Detection"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Remote Task Creation Via ATSVC Named Pipe, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Denied Access To Remote Desktop, Protected Storage Service Access, MMC Spawning Windows Shell, Correlation Impacket Smbexec, RDP Port Change Using Powershell, Admin Share Access, Lateral Movement Remote Named Pipe, RDP Login From Localhost, Lsass Access Through WinRM, Remote Service Activity Via SVCCTL Named Pipe, MMC20 Lateral Movement, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, User Added to Local Administrators, Account Added To A Security Enabled Group, Admin User RDP Remote Logon, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Registry Key Used By Some Old Agent Tesla Samples, Svchost Modification, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Werfault DLL Injection, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Svchost DLL Search Order Hijack, Werfault DLL Injection, DNS ServerLevelPluginDll Installation, Windows Registry Persistence COM Search Order Hijacking, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Elevated Msiexec Via Repair Functionality, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Suspicious DLL side loading from ProgramData, Elevated Shell Launched By Browser"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Domain Trust Created Or Removed, Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, Suspicious SAM Dump, Credential Dumping-Tools Common Named Pipes, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Secure Deletion With SDelete, Microsoft Defender Antivirus Tampering Detected, Cookies Deletion, Compression Followed By Suppression, Eventlog Cleared, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Privileged Operation, PowerView commandlets 2, PowerView commandlets 1, SCM Database Handle Failure"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery, Remote Enumeration Of Lateral Movement Groups, PowerView commandlets 2, PowerView commandlets 1, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, Netscan Share Access Artefact, PowerView commandlets 1"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI DLL Loaded Via Office, WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Impacket Wmiexec Module, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Denied Access To Remote Desktop, RDP Login From Localhost"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Suspicious Kerberos Ticket, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Kerberos Pre-Auth Disabled in UAC, Possible Replay Attack, Rubeus Tool Command-line, Suspicious TGS requests (Kerberoasting), Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, Component Object Model Hijacking, WMI Event Subscription, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Secure Deletion With SDelete, PowerShell EncodedCommand"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: New Or Renamed User Account With '$' In Attribute 'SamAccountName', RTLO Character, Unsigned Driver Loaded From Suspicious Location, Execution From Suspicious Folder, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, SysKey Registry Keys Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Audit CVE Event, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, AD Object WriteDAC Access"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Protected Storage Service Access, Correlation Impacket Smbexec, Admin Share Access, Lateral Movement Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread, Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Certificate Request-adcs Abuse, Suspicious Kerberos Ticket"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
index c6119ea65..a4afec0b0 100644
--- a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
index 5583abd8b..b6028a780 100644
--- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, TrevorC2 HTTP Communication, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
index f4a16dc75..ec3313dc1 100644
--- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Trickbot Malware Activity, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Login Brute-Force Successful On SentinelOne EDR Management Console, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Mimikatz Basic Commands, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Suspicious desktop.ini Action, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Cryptomining, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Windows Update LolBins, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Microsoft Defender Antivirus Threat Detected, Taskhostw Wrong Parent, Exfiltration Via Pscp, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, SolarWinds Suspicious File Creation, Suspicious DNS Child Process, Login Brute-Force Successful On SentinelOne EDR Management Console, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Login Brute-Force Successful On SentinelOne EDR Management Console, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disabling SmartScreen Via Registry, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, Mshta Suspicious Child Process, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, Microsoft Defender Antivirus Threat Detected, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Login Brute-Force Successful On SentinelOne EDR Management Console, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Compression Followed By Suppression, Microsoft Defender Antivirus History Deleted, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Exfiltration Via Pscp, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, Suspicious New Printer Ports In Registry, Suspicious Desktopimgdownldr Execution, Ursnif Registry Key, FlowCloud Malware, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, LanManServer Registry Modify"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
index 3ff77dce6..5013c2e47 100644
--- a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, Sliver DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Broadcom Edge Secure Web Gateway High Threat"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, TrevorC2 HTTP Communication, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Broadcom Edge Secure Web Gateway High Threat"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
index 3feab16c5..ba8cdfed6 100644
--- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Aspnet Compiler, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Credentials Extraction, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, SSH Authorized Key Alteration, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, Nimbo-C2 User Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, HTA Infection Chains, Malspam Execution Registering Malicious DLL, ZIP LNK Infection Chain, Explorer Process Executing HTA File"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credentials Extraction"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, OneNote Suspicious Children Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Aspnet Compiler, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Cron Files Alteration, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage, Credentials Extraction"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, ISO LNK Infection Chain, Malspam Execution Registering Malicious DLL, HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
index a5463132e..ae21349e9 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, HTA Infection Chains, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2f28e4f9-a4f3-40a6-9909-b69f3df32535_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2f28e4f9-a4f3-40a6-9909-b69f3df32535_do_not_edit_manually.json
index f2802511a..7e3b0acf8 100644
--- a/_shared_content/operations_center/detection/generated/attack_2f28e4f9-a4f3-40a6-9909-b69f3df32535_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2f28e4f9-a4f3-40a6-9909-b69f3df32535_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ V103", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Gatewatcher AionIQ V103 Shellcode Detect"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Gatewatcher AionIQ V103 Sigflow Alert, Gatewatcher AionIQ V103 Beacon Detect"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Network Behavior Analytics"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Gatewatcher AionIQ V103 Malcore"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Gatewatcher AionIQ V103 Malcore"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Email Attachment Received"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1029", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Malicious Powershell Detect"}, {"techniqueID": "T1598", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Retrohunt, Gatewatcher AionIQ V103 Active CTI"}, {"techniqueID": "T1568.002", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Dga Detect"}, {"techniqueID": "T1568", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Dga Detect"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Ransomware Detect"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ V103", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Shellcode Detect, Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Gatewatcher AionIQ V103 Beacon Detect, Gatewatcher AionIQ V103 Sigflow Alert"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Network Behavior Analytics"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Gatewatcher AionIQ V103 Malcore"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Gatewatcher AionIQ V103 Malcore"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1029", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Malicious Powershell Detect"}, {"techniqueID": "T1598", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Active CTI, Gatewatcher AionIQ V103 Retrohunt"}, {"techniqueID": "T1568.002", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Dga Detect"}, {"techniqueID": "T1568", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Dga Detect"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Ransomware Detect"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
index eb30bcc57..03043c243 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Web Application Launching Shell, Suspicious Outlook Child Process, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, ESET Protect Malware"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: ESET Protect Remote Action"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Winword Document Droppers, ESET Protect Intrusion Detection, Microsoft Office Spawning Script"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt, Elevated Shell Launched By Browser"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: ESET Protect Set Policy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Spawning Script"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Web Application Launching Shell"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ESET Protect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AutoIt3 Execution From Suspicious Folder, QakBot Process Creation, Microsoft Office Spawning Script, Web Application Launching Shell, Suspicious Outlook Child Process, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, ESET Protect Malware, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: ESET Protect Remote Action"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Winword Document Droppers, ISO LNK Infection Chain, MS Office Product Spawning Exe in User Dir, ESET Protect Intrusion Detection, HTA Infection Chains, Microsoft Office Spawning Script, Suspicious Outlook Child Process, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt, Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt, Elevated Shell Launched By Browser"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: ESET Protect Set Policy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Lsass Wrong Parent"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Web Application Launching Shell"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
index fa866b461..683c4d5ad 100644
--- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
index e7f8db808..27028a21b 100644
--- a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Cryptomining, Dynamic DNS Contacted, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Sliver DNS Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cobalt Strike DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Sliver DNS Beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Dynamic DNS Contacted, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
index f393f1315..61e197d2a 100644
--- a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
index bbffe6f32..d080e9309 100644
--- a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
index 9d8a33ea1..36239ff90 100644
--- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Sekoia.io EICAR Detection, Correlation Supicious Powershell Drop and Exec, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Malicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Trickbot Malware Activity, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Aspnet Compiler, Suspicious Windows Script Execution, Linux Bash Reverse Shell, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Suspicious File Name, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, PowerShell Credential Prompt, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Mimikatz Basic Commands, Malicious Service Installations, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Impacket Secretsdump.py Tool, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Transfering Files With Credential Data Via Network Shares, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential, Password Dumper Activity On LSASS"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Suspicious desktop.ini Action, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Credentials Extraction, Opening Of a Password File, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, Eventlog Cleared, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, User Added to Local Administrators, Mimikatz Basic Commands, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, SSH Authorized Key Alteration, Privileged AD Builtin Group Modified, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, Remote Privileged Group Enumeration, Reconnaissance Commands Activities, PowerView commandlets 2, AD User Enumeration, Shell PID Injection, Discovery Commands Correlation, Remote Enumeration Of Lateral Movement Groups, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Koadic MSHTML Command, Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, LokiBot Default C2 URL, DNS Tunnel Technique From MuddyWater, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Python HTTP Server, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Possible Malicious File Double Extension, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, Suspicious DNS Child Process, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Correlation Suspicious Authentication Coercer Behavior, Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, Webshell Creation, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, Webshell Creation, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Suspicious New Printer Ports In Registry, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, ZIP LNK Infection Chain, Winword Document Droppers, Microsoft Office Spawning Script, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Medium Threat, HTA Infection Chains, HarfangLab EDR Critical Level Rule Detection, Download Files From Suspicious TLDs, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, Explorer Process Executing HTA File, ISO LNK Infection Chain, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Threat, HarfangLab EDR Critical Threat, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Spawning Script, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Critical Level Rule Detection, Download Files From Suspicious TLDs, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, Explorer Process Executing HTA File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Threat, HarfangLab EDR Critical Threat, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Chafer (APT 39) Activity, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Chafer (APT 39) Activity, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Suspicious PsExec Execution, Svchost Wrong Parent, Spoolsv Wrong Parent, Correlation Impacket Smbexec, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Smbexec.py Service Installation, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Windows Update LolBins, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Microsoft Defender Antivirus Threat Detected, Taskhostw Wrong Parent, Exfiltration Via Pscp, OneNote Suspicious Children Process, Suspicious PsExec Execution, Svchost Wrong Parent, Spoolsv Wrong Parent, Correlation Impacket Smbexec, Winlogon wrong parent, SolarWinds Suspicious File Creation, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Smbexec.py Service Installation, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Correlation Supicious Powershell Drop and Exec, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credentials Extraction"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, Correlation Impacket Smbexec, Lateral Movement Remote Named Pipe, RDP Login From Localhost, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access, RDP Port Change Using Powershell, Remote Service Activity Via SVCCTL Named Pipe, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, User Added to Local Administrators, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Suspicious New Printer Ports In Registry, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, Ursnif Registry Key, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1, Netscan Share Access Artefact"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, Password Dumper Activity On LSASS"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, WMI Event Subscription, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Register New Logon Process, Suspicious Kerberos Ticket, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified, Computer Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Correlation Impacket Smbexec, Lateral Movement Remote Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, Mshta Suspicious Child Process, PowerShell EncodedCommand, Python Offensive Tools and Packages, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, PowerShell Credential Prompt, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, Microsoft Defender Antivirus Threat Detected, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Aspnet Compiler, PowerShell Malicious PowerShell Commandlets, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Password Dumper Activity On LSASS, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Transfering Files With Credential Data Via Network Shares, Copying Browser Files With Credentials, Malicious Service Installations, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Impacket Secretsdump.py Tool, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Malware Protection Engine Crash, TrustedInstaller Impersonation, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Malware Protection Engine Crash, TrustedInstaller Impersonation, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Remote Task Creation Via ATSVC Named Pipe, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Cron Files Alteration, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Remote Registry Management Using Reg Utility, Opening Of a Password File, Adexplorer Usage, Credentials Extraction"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Compression Followed By Suppression, Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Elevated Msiexec Via Repair Functionality, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Add User to Privileged Group, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Mimikatz Basic Commands, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread, Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery, Remote Enumeration Of Lateral Movement Groups, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Chafer (APT 39) Activity, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Chafer (APT 39) Activity, Cobalt Strike DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Sliver DNS Beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server, TrevorC2 HTTP Communication, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Dynamic DNS Contacted, Suspicious Windows DNS Queries, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Python HTTP Server, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Correlation Suspicious Authentication Coercer Behavior, Possible RottenPotato Attack"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Download Files From Suspicious TLDs, Antivirus Password Dumper Detection, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, ISO LNK Infection Chain, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, Microsoft Defender Antivirus Threat Detected, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR High Threat, Explorer Process Executing HTA File, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, HTA Infection Chains, Microsoft Office Spawning Script, Suspicious Outlook Child Process, HarfangLab EDR Medium Threat, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR High Threat, Explorer Process Executing HTA File, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, HarfangLab EDR Medium Threat, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Chafer (APT 39) Activity, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Chafer (APT 39) Activity, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Smbexec.py Service Installation, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Suspicious PsExec Execution, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Malicious Service Installations, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Correlation Impacket Smbexec, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Smbexec.py Service Installation, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Suspicious PsExec Execution, Csrss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Malicious Service Installations, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Correlation Impacket Smbexec, Wsmprovhost Wrong Parent, Winlogon wrong parent, Exfiltration Via Pscp, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Protected Storage Service Access, MMC Spawning Windows Shell, Correlation Impacket Smbexec, RDP Port Change Using Powershell, Admin Share Access, Lateral Movement Remote Named Pipe, RDP Login From Localhost, Remote Service Activity Via SVCCTL Named Pipe, MMC20 Lateral Movement"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Account Added To A Security Enabled Group, Admin User RDP Remote Logon, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Suspicious New Printer Ports In Registry, Suspicious Desktopimgdownldr Execution, RDP Port Change Using Powershell, Ursnif Registry Key, Remote Registry Management Using Reg Utility, Chafer (APT 39) Activity, FlowCloud Malware, DNS ServerLevelPluginDll Installation, Windows Defender Logging Modification Via Registry, RDP Sensitive Settings Changed, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, LanManServer Registry Modify"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, Netscan Share Access Artefact, PowerView commandlets 1"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Password Dumper Activity On LSASS, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Impacket Wmiexec Module, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, WMI Event Subscription, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Possible Replay Attack, Rubeus Tool Command-line, Suspicious Kerberos Ticket"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Remote Registry Management Using Reg Utility, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Protected Storage Service Access, Correlation Impacket Smbexec, Admin Share Access, Lateral Movement Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
index 8b094e2f9..c11553318 100644
--- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, Sekoia.io EICAR Detection, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
index 6501d85a4..ee412801c 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR CorePUA Detection, Sophos EDR CorePUA Clean, Download Files From Suspicious TLDs, Sophos EDR Application Blocked"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Blocked, Sophos EDR CorePUA Detection, Sophos EDR CorePUA Clean, Sophos EDR Application Detected, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
index fc138030d..8f5326ce2 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
index 867e69c55..dd964f703 100644
--- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Cryptomining, Dynamic DNS Contacted, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Dynamic DNS Contacted, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
index 405cf8309..d8c371e43 100644
--- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Sekoia.io EICAR Detection, Correlation Supicious Powershell Drop and Exec, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Malicious PowerShell Keywords, Trickbot Malware Activity, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Aspnet Compiler, Suspicious Windows Script Execution, Linux Bash Reverse Shell, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, PowerShell Credential Prompt, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Mimikatz Basic Commands, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Process Memory Dump Using Createdump, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack, TrustedInstaller Impersonation, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, NetNTLM Downgrade Attack, TrustedInstaller Impersonation, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Credentials Extraction, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, SSH Authorized Key Alteration, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Possible Malicious File Double Extension, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Windows Update LolBins, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Correlation Supicious Powershell Drop and Exec, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool, Credentials Extraction"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disabling SmartScreen Via Registry, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, Ursnif Registry Key, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, RDP Port Change Using Powershell, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, Mshta Suspicious Child Process, PowerShell EncodedCommand, Python Offensive Tools and Packages, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, PowerShell Credential Prompt, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Aspnet Compiler, PowerShell Malicious PowerShell Commandlets, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Dumpert LSASS Process Dumper, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, TrustedInstaller Impersonation, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, TrustedInstaller Impersonation, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage, Credentials Extraction"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration, Mimikatz Basic Commands"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation, ProxyShell Microsoft Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, ISO LNK Infection Chain, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, HTA Infection Chains, Microsoft Office Spawning Script, Suspicious Outlook Child Process, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, Empire Monkey Activity, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, WMI Persistence Command Line Event Consumer, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, WMI Persistence Command Line Event Consumer, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, WMI Persistence Command Line Event Consumer, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Windows Update LolBins, WMI Persistence Command Line Event Consumer, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Exfiltration Via Pscp, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe, Credentials Extraction"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, Suspicious New Printer Ports In Registry, Suspicious Desktopimgdownldr Execution, RDP Port Change Using Powershell, Ursnif Registry Key, FlowCloud Malware, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, LanManServer Registry Modify"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Impacket Wmiexec Module, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
index 729480e74..614c53a4e 100644
--- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Disabled Service"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, Possible Malicious File Double Extension, RTLO Character, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Correlation Potential DNS Tunnel, Cryptomining, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Suspicious Windows DNS Queries"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Cleaned, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AutoIt3 Execution From Suspicious Folder, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Terminate, Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Cleaned"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
index cf63d555b..b0594e4e2 100644
--- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
index 9613f2e3c..29664cb92 100644
--- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
index 391eb72f2..4d584f262 100644
--- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Aspnet Compiler, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Cryptomining, Dynamic DNS Contacted, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler, Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Sliver DNS Beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Dynamic DNS Contacted, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
index 3d5235372..c5dd5d620 100644
--- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cato Networks SASE High Risk Alert, Detect requests to Konni C2 servers, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Cato Networks SASE High Risk Alert, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
index df7b543f8..0a0d7b800 100644
--- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Malware But Allowed, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Spam But Allowed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Malware But Allowed, Suspicious Download Links From Legitimate Services, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Spam But Allowed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
index 4ba528183..00c013284 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sesame it Jizo NDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Alert High Severity Sesame it Jizo NDR, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jizo AI / Sesame it NDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Alert High Severity Sesame it Jizo NDR, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
index 31d038d1f..f85cb9f76 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
index 6a9d842df..72e9ed4e4 100644
--- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (MultiScan), Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (Sandboxing)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
index eaa7a9fd5..bd8e08ab8 100644
--- a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
index 2e80983b5..8802156f7 100644
--- a/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Load Balancing [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Load Balancing", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
index ab4b5f7de..50a9b7e4a 100644
--- a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
index 0dfdfd2ee..54d8a6fda 100644
--- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
index 126c0828d..93c34740e 100644
--- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, TrevorC2 HTTP Communication, Sliver DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Correlation Fortigate Multi Alert From One Internal Ip, Fortigate IPS High Severity Alert, Fortigate IPS Critical Alert, Correlation Fortigate Multi Dest From One Internal Ip, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Microsoft Defender Antivirus Threat Detected, Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Potential LokiBot User-Agent, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Correlation Fortigate Multi Dest From One Internal Ip, Internet Scanner Target, Fortigate IPS Critical Alert, Burp Suite Tool Detected, Fortigate IPS High Severity Alert, Correlation Fortigate Multi Alert From One Internal Ip"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Microsoft Defender Antivirus Threat Detected, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
index 7dabb7c42..a45ac6e14 100644
--- a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Bitsight SPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Bitsight SPM Moderate Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Material Vulnerability, Bitsight SPM Minor Vulnerability"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Bitsight SPM Moderate Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Material Vulnerability, Bitsight SPM Minor Vulnerability"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Bitsight SPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Bitsight SPM Material Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Minor Vulnerability, Bitsight SPM Severe Vulnerability"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Bitsight SPM Material Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Minor Vulnerability, Bitsight SPM Severe Vulnerability"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
index c4942b703..3645cbc3a 100644
--- a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Lacework Cloud Security High Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Medium Severity Alert"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: Lacework Cloud Security High Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Medium Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security High Severity Alert"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
index 08455251e..f7789914b 100644
--- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
index c8a7b87a5..e2e33891c 100644
--- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, SELinux Disabling, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, SELinux Disabling, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, OneNote Suspicious Children Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disabled Service, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, SELinux Disabling, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disabled Service, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59912cb4-2eef-4987-ad9a-cb657e29b929_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59912cb4-2eef-4987-ad9a-cb657e29b929_do_not_edit_manually.json
index 594b97228..8653b8777 100644
--- a/_shared_content/operations_center/detection/generated/attack_59912cb4-2eef-4987-ad9a-cb657e29b929_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_59912cb4-2eef-4987-ad9a-cb657e29b929_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x LockSelf", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x LockSelf", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
index c062f2596..c6db28996 100644
--- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Trickbot Malware Activity, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Aspnet Compiler, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Suspicious desktop.ini Action, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, SSH Authorized Key Alteration, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Cryptomining, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Windows Update LolBins, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, SolarWinds Suspicious File Creation, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, Mshta Suspicious Child Process, PowerShell EncodedCommand, Python Offensive Tools and Packages, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Aspnet Compiler, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration, Mimikatz Basic Commands"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Exfiltration Via Pscp, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious New Printer Ports In Registry, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, RDP Sensitive Settings Changed, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
index b95d25a8b..252577ac1 100644
--- a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cobalt Strike HTTP Default POST Beaconing, Cryptomining, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
index bd037c58c..ae3fa68cf 100644
--- a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
index 9cdcb7974..56cd6f244 100644
--- a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
index 344a0a316..df1f9a62a 100644
--- a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Correlation Potential DNS Tunnel, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
index ffbccd3ca..d4c039bdc 100644
--- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
index 574e53549..668e80337 100644
--- a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json
index ffce49a69..e64765755 100644
--- a/_shared_content/operations_center/detection/generated/attack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Clavister NGFW [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Clavister NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
index ae770e107..e9d192954 100644
--- a/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Application Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Application Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
index af555a154..a297a0026 100644
--- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cryptomining, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
index ed31dfdca..e4c3deb78 100644
--- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Socat Reverse Shell Detection, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, FromBase64String Command Line, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, Lazarus Loaders, Socat Relaying Socket, QakBot Process Creation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Brute Force WALLIX Bastion"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, PowerShell Invoke Expression With Registry, FromBase64String Command Line, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, MavInject Process Injection, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Control Panel Items, Equation Group DLL_U Load, CertOC Loading Dll"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disabled IE Security Features, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Brute Force WALLIX Bastion"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, PowerShell Invoke Expression With Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Control Panel Items, Malspam Execution Registering Malicious DLL, Suspicious Desktopimgdownldr Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
index 9dae5b60c..63952b730 100644
--- a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cobalt Strike HTTP Default POST Beaconing, Cryptomining, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
index 575fbb5fe..63d9ac53c 100644
--- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
index 1d5840951..9ce9d6df0 100644
--- a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
index b95148979..425e8b79a 100644
--- a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
index 67976edf3..db39306c2 100644
--- a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
index 4628a25fa..c5873e7bb 100644
--- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Python Offensive Tools and Packages, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, CMSTP Execution, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
index a7a767527..18a38c03c 100644
--- a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
index 134dbc8e6..ce78a6c15 100644
--- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
index 6d07196f2..aa478a653 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cloudflare Gateway DNS Query Allowed to Malicious Domain, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cloudflare Gateway DNS Query Blocked to Malicious Domain, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cloudflare Gateway DNS Query Allowed to Malicious Domain, Cloudflare Gateway DNS Query Blocked to Malicious Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cloudflare Gateway DNS Query Allowed to Malicious Domain, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cloudflare Gateway DNS Query Blocked to Malicious Domain, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cloudflare Gateway DNS Query Blocked to Malicious Domain, Cloudflare Gateway DNS Query Allowed to Malicious Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
index 919d3c5bb..4e250bc91 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Varonis Many Accounts Disabled"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Varonis Many File Created and Deleted, Varonis Massive Dowloads By A Single User"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Varonis Many Accounts Disabled"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Varonis Many File Created and Deleted, Varonis Massive Dowloads By A Single User"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
index 3eb9eff06..7260472a1 100644
--- a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
index 665f6839a..1caf557da 100644
--- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub New Organization Member, GitHub Outside Collaborator Detected, GitHub High Risk Configuration Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub New Organization Member, GitHub Outside Collaborator Detected, GitHub High Risk Configuration Disabled"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub New Organization Member"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub New Organization Member"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
index 02ddafb7c..475f95c07 100644
--- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
index d5c71eee4..6eb0edb2d 100644
--- a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
index 5b25a929c..f024cad81 100644
--- a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
index 0d0ca4f06..6144154af 100644
--- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
index 8ebe3d49f..6da7039a0 100644
--- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
index fe00b4411..ed5933ae7 100644
--- a/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Thinkst Canary [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Thinkst Canary", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
index 080fe3b40..a049f9496 100644
--- a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
index fb79f2f9a..2660abcc6 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, Potential LokiBot User-Agent, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
index f978258ec..4720064b3 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), TEHTRIS EDR Alert, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, TEHTRIS EDR Alert, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, OneNote Suspicious Children Process, TEHTRIS EDR Alert, Usage Of Sysinternals Tools"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, TEHTRIS EDR Alert, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, TEHTRIS EDR Alert, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, TEHTRIS EDR Alert, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
index c3d6a6412..f33e0d3c0 100644
--- a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cisco Umbrella Threat Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cisco Umbrella Threat Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
index e218cafeb..e9f2708fd 100644
--- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Correlation Block Multiple Destinations, WAF Correlation Block actions, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Correlation Potential DNS Tunnel, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Login Brute-Force Successful On SentinelOne EDR Management Console, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, WAF Correlation Block Multiple Destinations, Internet Scanner Target, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Adidnsdump Enumeration"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
index 31188609b..91f6b0287 100644
--- a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
index 252974d2b..647c970ac 100644
--- a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
index 6a6617d3a..2c56a7802 100644
--- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Sekoia.io EICAR Detection, Correlation Supicious Powershell Drop and Exec, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Turla Named Pipes, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Malicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Trickbot Malware Activity, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious DLL Loaded Via Office Applications, Aspnet Compiler, Suspicious Windows Script Execution, Linux Bash Reverse Shell, PowerShell Malicious PowerShell Commandlets, Alternate PowerShell Hosts Pipe, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, Detection of default Mimikatz banner, PowerShell Malicious Nishang PowerShell Commandlets, Login Brute-Force Successful On SentinelOne EDR Management Console, Screenconnect Remote Execution, In-memory PowerShell, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Suspicious File Name, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, PowerShell Credential Prompt, Mshta Suspicious Child Process, Suspicious Scripting In A WMI Consumer, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Unsigned Image Loaded Into LSASS Process, Cmdkey Cached Credentials Recon, SAM Registry Hive Handle Request, Mimikatz Basic Commands, Malicious Service Installations, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, LSASS Memory Dump File Creation, Suspicious SAM Dump, Impacket Secretsdump.py Tool, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dumping By LaZagne, RedMimicry Winnti Playbook Dropped File, HackTools Suspicious Names, Transfering Files With Credential Data Via Network Shares, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, NetNTLM Downgrade Attack, Lsass Access Through WinRM, Active Directory Database Dump Via Ntdsutil, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Active Directory Replication from Non Machine Account, DCSync Attack, Credential Dumping-Tools Common Named Pipes, Password Dumper Activity On LSASS, DPAPI Domain Backup Key Extraction, WCE wceaux.dll Creation, Mimikatz LSASS Memory Access, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential, LSASS Access From Non System Account, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Svchost Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Suspicious desktop.ini Action, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Credentials Extraction, Opening Of a Password File, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Cookies Deletion, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Secure Deletion With SDelete, Erase Shell History, Clear EventLogs Through CommandLine, Eventlog Cleared, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Python Opening Ports, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Suspect Svchost Memory Access, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, NetNTLM Downgrade Attack, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Disable Security Events Logging Adding Reg Key MiniNt, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Process Herpaderping, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Cobalt Strike Named Pipes, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, Malicious Named Pipe, Dynwrapx Module Loading, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent, Process Hollowing Detection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, Elevated Shell Launched By Browser, Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking, DNS ServerLevelPluginDll Installation, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, Werfault DLL Injection, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Active Directory User Backdoors, Mimikatz Basic Commands, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Replication User Backdoor, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, AD Object WriteDAC Access, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Correlation Potential DNS Tunnel, Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, TrevorC2 HTTP Communication, Suspicious LDAP-Attributes Used, Python HTTP Server, Koadic MSHTML Command, Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Double Extension, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Unsigned Driver Loaded From Suspicious Location, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Possible Malicious File Double Extension, RTLO Character, Legitimate Process Execution From Unusual Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Execution From Suspicious Folder"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer, Suspicious URL Requested By Curl Or Wget Commands, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding, TOR Usage, Suspicious Hostname"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Correlation Suspicious Authentication Coercer Behavior, Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Audit CVE Event, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Suspicious New Printer Ports In Registry, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, ZIP LNK Infection Chain, Winword Document Droppers, Microsoft Office Spawning Script, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Medium Threat, HTA Infection Chains, HarfangLab EDR Critical Level Rule Detection, Login Brute-Force Successful On SentinelOne EDR Management Console, Download Files From Suspicious TLDs, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, Explorer Process Executing HTA File, ISO LNK Infection Chain, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Threat, HarfangLab EDR Critical Threat, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Spawning Script, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Critical Level Rule Detection, Download Files From Suspicious TLDs, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, Explorer Process Executing HTA File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Threat, HarfangLab EDR Critical Threat, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Dynwrapx Module Loading, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, APT29 Fake Google Update Service Install, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Chafer (APT 39) Activity, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, APT29 Fake Google Update Service Install, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Chafer (APT 39) Activity, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Suspicious PsExec Execution, Svchost Wrong Parent, Spoolsv Wrong Parent, Correlation Impacket Smbexec, Winlogon wrong parent, Suspicious DNS Child Process, Windows Suspicious Service Creation, Smss Wrong Parent, Credential Dumping Tools Service Execution, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Metasploit PSExec Service Creation, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Smbexec.py Service Installation, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Windows Update LolBins, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Microsoft Defender Antivirus Threat Detected, Taskhostw Wrong Parent, Exfiltration Via Pscp, OneNote Suspicious Children Process, Suspicious PsExec Execution, Svchost Wrong Parent, Spoolsv Wrong Parent, Correlation Impacket Smbexec, Winlogon wrong parent, SolarWinds Suspicious File Creation, Suspicious DNS Child Process, Login Brute-Force Successful On SentinelOne EDR Management Console, Windows Suspicious Service Creation, Smss Wrong Parent, Credential Dumping Tools Service Execution, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Metasploit PSExec Service Creation, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Smbexec.py Service Installation, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Check Point Harmony Mobile Application Forbidden"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Correlation Supicious Powershell Drop and Exec, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Turla Named Pipes, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Alternate PowerShell Hosts Pipe, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, Detection of default Mimikatz banner, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, In-memory PowerShell, Powershell Web Request, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Python Opening Ports, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, LSASS Memory Dump File Creation, Suspicious CommandLine Lsassy Pattern, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Credential Dumping-Tools Common Named Pipes, Password Dumper Activity On LSASS, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Lsass Access Through WinRM, Mimikatz LSASS Memory Access, Credential Dumping By LaZagne, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, LSASS Access From Non System Account, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credentials Extraction"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, RDP Sensitive Settings Changed, Windows Defender Logging Modification Via Registry, Ursnif Registry Key, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, Remote Registry Management Using Reg Utility, Disabling SmartScreen Via Registry, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, DHCP Callout DLL Installation, Disable Security Events Logging Adding Reg Key MiniNt, Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, RDP Port Change Using Powershell, LanManServer Registry Modify"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, Correlation Impacket Smbexec, Cobalt Strike Default Service Creation Usage, Lateral Movement Remote Named Pipe, RDP Login From Localhost, Lsass Access Through WinRM, Smbexec.py Service Installation, Protected Storage Service Access, Denied Access To Remote Desktop, Admin Share Access, RDP Port Change Using Powershell, Remote Service Activity Via SVCCTL Named Pipe, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, User Added to Local Administrators, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, DCSync Attack, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Privileged AD Builtin Group Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Dropped File, Suspicious SAM Dump, Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 2, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, Reconnaissance Commands Activities, PowerView commandlets 2, AD User Enumeration, Discovery Commands Correlation, Remote Enumeration Of Lateral Movement Groups, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1, Netscan Share Access Artefact"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost, Denied Access To Remote Desktop"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Suspicious Outbound Kerberos Connection, Rubeus Tool Command-line, Kerberos Pre-Auth Disabled in UAC, Rubeus Register New Logon Process, Suspicious Kerberos Ticket, Suspicious TGS requests (Kerberoasting), User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, WMI Event Subscription, Suspicious Scripting In A WMI Consumer, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event, CVE-2019-0708 Scan"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, Secure Deletion With SDelete, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Dynwrapx Module Loading"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified, Computer Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Correlation Impacket Smbexec, Cobalt Strike Default Service Creation Usage, Lateral Movement Remote Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Certificate Request-adcs Abuse, Suspicious Kerberos Ticket"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, WMI DLL Loaded Via Office, Suspicious Scripting In A WMI Consumer, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, Mshta Suspicious Child Process, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, PowerShell Credential Prompt, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, Microsoft Defender Antivirus Threat Detected, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Turla Named Pipes, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Detection of default Mimikatz banner, Correlation Supicious Powershell Drop and Exec, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications, QakBot Process Creation, Microsoft Office Spawning Script, Powershell Web Request, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, In-memory PowerShell, Alternate PowerShell Hosts Pipe, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Aspnet Compiler, PowerShell Malicious PowerShell Commandlets, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Login Brute-Force Successful On SentinelOne EDR Management Console, Venom Multi-hop Proxy agent detection, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Password Dumper Activity On LSASS, RedMimicry Winnti Playbook Dropped File, WCE wceaux.dll Creation, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Credential Dumping-Tools Common Named Pipes, NTDS.dit File Interaction Through Command Line, DPAPI Domain Backup Key Extraction, Credential Dump Tools Related Files, Dumpert LSASS Process Dumper, Process Trace Alteration, Credential Dumping By LaZagne, Lsass Access Through WinRM, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Createdump, Mimikatz LSASS Memory Access, DCSync Attack, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, HackTools Suspicious Names, SAM Registry Hive Handle Request, Transfering Files With Credential Data Via Network Shares, Copying Browser Files With Credentials, Suspicious SAM Dump, Malicious Service Installations, LSASS Memory Dump File Creation, Active Directory Replication from Non Machine Account, Unsigned Image Loaded Into LSASS Process, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Impacket Secretsdump.py Tool, LSASS Access From Non System Account, Suspicious CommandLine Lsassy Pattern, Active Directory Database Dump Via Ntdsutil, Mimikatz Basic Commands"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Registry Key Used By Some Old Agent Tesla Samples, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Remote Registry Management Using Reg Utility, Opening Of a Password File, Adexplorer Usage, Credentials Extraction"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Secure Deletion With SDelete, Microsoft Defender Antivirus Tampering Detected, Cookies Deletion, Compression Followed By Suppression, Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Malware Protection Engine Crash, TrustedInstaller Impersonation, Microsoft Defender Antivirus Configuration Changed, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Malware Protection Engine Crash, TrustedInstaller Impersonation, Microsoft Defender Antivirus Configuration Changed, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Disable Security Events Logging Adding Reg Key MiniNt, Powershell AMSI Bypass, Python Opening Ports, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Suspect Svchost Memory Access, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Dynwrapx Module Loading, MavInject Process Injection, Wsmprovhost Wrong Parent, Malicious Named Pipe, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Process Herpaderping, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Cobalt Strike Named Pipes, Process Hollowing Detection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Svchost DLL Search Order Hijack, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, Windows Registry Persistence COM Search Order Hijacking, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Elevated Msiexec Via Repair Functionality, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Suspicious DLL side loading from ProgramData, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Active Directory User Backdoors, Active Directory Replication User Backdoor, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Mimikatz Basic Commands, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute, AD Object WriteDAC Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Chafer (APT 39) Activity, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server, TrevorC2 HTTP Communication, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Suspicious LDAP-Attributes Used, Cryptomining, Dynamic DNS Contacted, Suspicious Windows DNS Queries, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, New Or Renamed User Account With '$' In Attribute 'SamAccountName', RTLO Character, Unsigned Driver Loaded From Suspicious Location, Execution From Suspicious Folder, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, Suspicious URL Requested By Curl Or Wget Commands, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname, Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Correlation Suspicious Authentication Coercer Behavior, Possible RottenPotato Attack"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Audit CVE Event, Msdt (Follina) File Browse Process Execution, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, ISO LNK Infection Chain, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, Microsoft Defender Antivirus Threat Detected, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR High Threat, Explorer Process Executing HTA File, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications, HTA Infection Chains, Microsoft Office Spawning Script, Suspicious Outlook Child Process, HarfangLab EDR Medium Threat, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, HarfangLab EDR Critical Level Rule Detection, Download Files From Non-Legitimate TLDs, HarfangLab EDR Medium Level Rule Detection, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR High Threat, Explorer Process Executing HTA File, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, HarfangLab EDR Medium Threat, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Download Files From Non-Legitimate TLDs, HarfangLab EDR Medium Level Rule Detection, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, Dynwrapx Module Loading, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Chafer (APT 39) Activity, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, WMI Persistence Command Line Event Consumer, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Cobalt Strike Default Service Creation Usage, APT29 Fake Google Update Service Install, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, StoneDrill Service Install, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Chafer (APT 39) Activity, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, WMI Persistence Command Line Event Consumer, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Cobalt Strike Default Service Creation Usage, APT29 Fake Google Update Service Install, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, StoneDrill Service Install, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Windows Suspicious Service Creation, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Smbexec.py Service Installation, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Suspicious PsExec Execution, Csrss Wrong Parent, Searchindexer Wrong Parent, WMI Persistence Command Line Event Consumer, Metasploit PSExec Service Creation, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Credential Dumping Tools Service Execution, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Malicious Service Installations, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Correlation Impacket Smbexec, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Windows Suspicious Service Creation, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Smbexec.py Service Installation, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Suspicious PsExec Execution, Csrss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Windows Update LolBins, WMI Persistence Command Line Event Consumer, Metasploit PSExec Service Creation, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Credential Dumping Tools Service Execution, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Malicious Service Installations, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Correlation Impacket Smbexec, Wsmprovhost Wrong Parent, Check Point Harmony Mobile Application Forbidden, Winlogon wrong parent, Exfiltration Via Pscp, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Detection of default Mimikatz banner, Correlation Supicious Powershell Drop and Exec, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Turla Named Pipes, Powershell Web Request, In-memory PowerShell, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Python Opening Ports, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Mimikatz LSASS Memory Access, Dumpert LSASS Process Dumper, Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dump Tools Related Files, LSASS Access From Non System Account, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, Suspicious CommandLine Lsassy Pattern, Credential Dumping By LaZagne, Password Dumper Activity On LSASS, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Lsass Access Through WinRM, LSASS Memory Dump File Creation, Unsigned Image Loaded Into LSASS Process, Credential Dumping-Tools Common Named Pipes, Process Memory Dump Using Createdump"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications, QakBot Process Creation, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, RDP Port Change Using Powershell, FlowCloud Malware, Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, Suspicious New Printer Ports In Registry, Disable Workstation Lock, Suspicious Desktopimgdownldr Execution, Disable Security Events Logging Adding Reg Key MiniNt, Blue Mockingbird Malware, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, LanManServer Registry Modify, Ursnif Registry Key, Remote Registry Management Using Reg Utility, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Remote Task Creation Via ATSVC Named Pipe, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Denied Access To Remote Desktop, Protected Storage Service Access, MMC Spawning Windows Shell, Correlation Impacket Smbexec, RDP Port Change Using Powershell, Admin Share Access, Lateral Movement Remote Named Pipe, RDP Login From Localhost, Lsass Access Through WinRM, Remote Service Activity Via SVCCTL Named Pipe, MMC20 Lateral Movement, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, User Added to Local Administrators, Account Added To A Security Enabled Group, Admin User RDP Remote Logon, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Registry Key Used By Some Old Agent Tesla Samples, Svchost Modification, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Werfault DLL Injection, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Domain Trust Created Or Removed, Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, Suspicious SAM Dump, Credential Dumping-Tools Common Named Pipes, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Privileged Operation, PowerView commandlets 2, PowerView commandlets 1, SCM Database Handle Failure"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery, Remote Enumeration Of Lateral Movement Groups, PowerView commandlets 2, PowerView commandlets 1, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, Netscan Share Access Artefact, PowerView commandlets 1"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI DLL Loaded Via Office, WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Impacket Wmiexec Module, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Denied Access To Remote Desktop, RDP Login From Localhost"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Suspicious Kerberos Ticket, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Kerberos Pre-Auth Disabled in UAC, Possible Replay Attack, Rubeus Tool Command-line, Suspicious TGS requests (Kerberoasting), Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, Component Object Model Hijacking, WMI Event Subscription, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Secure Deletion With SDelete, PowerShell EncodedCommand"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, SysKey Registry Keys Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Protected Storage Service Access, Correlation Impacket Smbexec, Admin Share Access, Lateral Movement Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread, Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Certificate Request-adcs Abuse, Suspicious Kerberos Ticket"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
index ce37f2a35..0f5206296 100644
--- a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, ZIP LNK Infection Chain, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, System Network Connections Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, ZIP LNK Infection Chain"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, CMSTP Execution, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9844ea0a-de7f-45d4-9a9b-b07651f0630e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9844ea0a-de7f-45d4-9a9b-b07651f0630e_do_not_edit_manually.json
index 480141268..a45a24bd1 100644
--- a/_shared_content/operations_center/detection/generated/attack_9844ea0a-de7f-45d4-9a9b-b07651f0630e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9844ea0a-de7f-45d4-9a9b-b07651f0630e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Vision One Workbench Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Trend Micro Vision One Workbench Medium Severity Alert, ISO LNK Infection Chain, HTA Infection Chains, Trend Micro Vision One Workbench Critical Severity Alert, Malspam Execution Registering Malicious DLL, ZIP LNK Infection Chain, Trend Micro Vision One Workbench Low Severity Alert, Trend Micro Vision One Workbench high Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Trend Micro Vision One Workbench Medium Severity Alert, Sekoia.io EICAR Detection, Trend Micro Vision One Workbench Critical Severity Alert, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Trend Micro Vision One Workbench Low Severity Alert, Trend Micro Vision One Workbench high Severity Alert, Suspicious PowerShell Keywords, Malicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Vision One Workbench Medium Severity Alert, PsExec Process, Trend Micro Vision One Workbench Critical Severity Alert, Usage Of Procdump With Common Arguments, Trend Micro Vision One Workbench Low Severity Alert, Usage Of Sysinternals Tools, Trend Micro Vision One Workbench high Severity Alert"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NetNTLM Downgrade Attack, Mimikatz Basic Commands, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Discovery Commands Correlation, Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack, TrustedInstaller Impersonation, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, NetNTLM Downgrade Attack, TrustedInstaller Impersonation, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Suspicious desktop.ini Action, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, MavInject Process Injection, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Control Panel Items, Equation Group DLL_U Load, CertOC Loading Dll"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disabling SmartScreen Via Registry, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, Ursnif Registry Key, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Microsoft Windows Active Directory Module Commandlets, Adidnsdump Enumeration"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Vision One Workbench Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Trend Micro Vision One Workbench Critical Severity Alert, Trend Micro Vision One Workbench Medium Severity Alert, ISO LNK Infection Chain, Malspam Execution Registering Malicious DLL, HTA Infection Chains, Trend Micro Vision One Workbench high Severity Alert, ZIP LNK Infection Chain, Trend Micro Vision One Workbench Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, Trend Micro Vision One Workbench high Severity Alert, WMIC Uninstall Product, Trend Micro Vision One Workbench Low Severity Alert, PowerShell Commands Invocation, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Trend Micro Vision One Workbench Critical Severity Alert, Trend Micro Vision One Workbench Medium Severity Alert, Malicious PowerShell Keywords, WMImplant Hack Tool, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious Taskkill Command, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Malicious PowerShell Commandlets, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Vision One Workbench Critical Severity Alert, Trend Micro Vision One Workbench Medium Severity Alert, Usage Of Procdump With Common Arguments, Trend Micro Vision One Workbench high Severity Alert, Usage Of Sysinternals Tools, PsExec Process, Trend Micro Vision One Workbench Low Severity Alert"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NetNTLM Downgrade Attack, Process Trace Alteration, Windows Credential Editor Registry Key, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, TrustedInstaller Impersonation, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, TrustedInstaller Impersonation, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, FromBase64String Command Line, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Control Panel Items, Malspam Execution Registering Malicious DLL, Suspicious Desktopimgdownldr Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, Suspicious New Printer Ports In Registry, Suspicious Desktopimgdownldr Execution, RDP Port Change Using Powershell, Ursnif Registry Key, FlowCloud Malware, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, LanManServer Registry Modify"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Wmic Service Call, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
index 3d681f1b6..05078c336 100644
--- a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Activity, Darktrace Threat Visualizer Threat Critical Alert, Darktrace Threat Visualizer Model Breach Critical Activity, Darktrace Threat Visualizer Threat Suspicious Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Activity, Darktrace Threat Visualizer Threat Critical Alert, Darktrace Threat Visualizer Model Breach Critical Activity, Darktrace Threat Visualizer Threat Suspicious Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Threat Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Activity, Darktrace Threat Visualizer Model Breach Critical Activity, Darktrace Threat Visualizer Threat Suspicious Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Threat Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Activity, Darktrace Threat Visualizer Model Breach Critical Activity, Darktrace Threat Visualizer Threat Suspicious Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
index e7850f62c..1bbe89875 100644
--- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
index 107d04f2d..4818916fb 100644
--- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Trickbot Malware Activity, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Mimikatz Basic Commands, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Mshta Command From A Scheduled Task, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, HTA Infection Chains, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, Rare Lsass Child Found, PsExec Process, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Taskhost or Taskhostw Suspicious Child Found, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, Rare Logonui Child Found, SolarWinds Wrong Child Process, Searchprotocolhost Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, Rare Lsass Child Found, Windows Update LolBins, PsExec Process, SolarWinds Suspicious File Creation, Suspicious DNS Child Process, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, Mshta Suspicious Child Process, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Mshta Command From A Scheduled Task, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, ISO LNK Infection Chain, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, HTA Infection Chains, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, Suspicious New Printer Ports In Registry, Suspicious Desktopimgdownldr Execution, Ursnif Registry Key, FlowCloud Malware, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, RDP Sensitive Settings Changed, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Impacket Wmiexec Module, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Mshta Command From A Scheduled Task, Windows Update LolBins, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
index 6d7051941..fa53bc58c 100644
--- a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Correlation Supicious Powershell Drop and Exec, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Mimikatz Basic Commands, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Suspicious desktop.ini Action, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Cookies Deletion, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, SSH Authorized Key Alteration, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Using Fodhelper, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cryptomining, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, HTA Infection Chains, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Malspam Execution Registering Malicious DLL, ZIP LNK Infection Chain, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Explorer Process Executing HTA File"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Correlation Supicious Powershell Drop and Exec, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, OneNote Suspicious Children Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Python Offensive Tools and Packages, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Correlation Supicious Powershell Drop and Exec, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Cron Files Alteration, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Cookies Deletion, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), ISO LNK Infection Chain, Malspam Execution Registering Malicious DLL, HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity)"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Suspicious New Printer Ports In Registry, Suspicious Desktopimgdownldr Execution, Ursnif Registry Key, FlowCloud Malware, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, RDP Sensitive Settings Changed, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, LanManServer Registry Modify"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
index 075091d0d..2affca0d8 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Claroty xDome Network Threat Detection Alert"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Claroty xDome Network Threat Detection Alert"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
index 87cb70439..19106d69b 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, HTA Infection Chains, ZIP LNK Infection Chain, Cybereason EDR Malware Detection, Cybereason EDR Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Cybereason EDR Malware Detection, Cybereason EDR Alert, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, Cybereason EDR Malware Detection, Cybereason EDR Alert"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Cybereason EDR Malware Detection, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Cybereason EDR Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Cybereason EDR Alert, Cybereason EDR Malware Detection, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Cybereason EDR Malware Detection, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Cybereason EDR Alert"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
index 6e1b9c2ad..648aadc95 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
index 5a26b26b2..c62ab51c2 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cobalt Strike HTTP Default POST Beaconing, Cryptomining, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
index cbc756d2e..502d19591 100644
--- a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Socat Reverse Shell Detection, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, FromBase64String Command Line, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, Lazarus Loaders, Socat Relaying Socket, QakBot Process Creation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Koadic MSHTML Command, Sliver DNS Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Python HTTP Server, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner, Internet Scanner Target, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, PowerShell Invoke Expression With Registry, FromBase64String Command Line, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, MavInject Process Injection, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Control Panel Items, Equation Group DLL_U Load, CertOC Loading Dll"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Login Brute-Force Successful On SentinelOne EDR Management Console, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disabled IE Security Features, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Sliver DNS Beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Python HTTP Server, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, ACLight Discovering Privileged Accounts, Internet Scanner, Adidnsdump Enumeration"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, PowerShell Invoke Expression With Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Control Panel Items, Malspam Execution Registering Malicious DLL, Suspicious Desktopimgdownldr Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Wmic Service Call, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
index 8fd28099c..be2fe3323 100644
--- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
index c82eb53b6..3480efa74 100644
--- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
index 475d96539..cb045e17c 100644
--- a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Olfeo secure web gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json
index a48940d83..390f23d63 100644
--- a/_shared_content/operations_center/detection/generated/attack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OCSF [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Trickbot Malware Activity, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, LokiBot Default C2 URL, DNS Tunnel Technique From MuddyWater, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Python HTTP Server, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Possible Malicious File Double Extension, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, Suspicious DNS Child Process, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer, Suspicious URL Requested By Curl Or Wget Commands, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Creation, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Creation, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, Windows Update LolBins, Microsoft Defender Antivirus Threat Detected, PsExec Process, SolarWinds Suspicious File Creation, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, PsExec Process, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, New Service Creation, OneNote Suspicious Children Process, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, New Service Creation, OneNote Suspicious Children Process, SolarWinds Wrong Child Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OCSF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, Mshta Suspicious Child Process, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, Microsoft Defender Antivirus Threat Detected, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Compression Followed By Suppression, Microsoft Defender Antivirus History Deleted, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Mshta Command From A Scheduled Task, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cobalt Strike DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Sliver DNS Beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server, TrevorC2 HTTP Communication, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Dynamic DNS Contacted, Suspicious Windows DNS Queries, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Python HTTP Server, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation, Suspicious URL Requested By Curl Or Wget Commands, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, RDP Configuration File From Mail Process"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Microsoft Defender Antivirus Threat Detected, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Mshta Command From A Scheduled Task, Windows Update LolBins, SolarWinds Suspicious File Creation, Suspicious DNS Child Process, PsExec Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, OneNote Suspicious Children Process, Suspicious DNS Child Process, PsExec Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
index 7b9e8fe47..b9e52ce5e 100644
--- a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cobalt Strike HTTP Default POST Beaconing, Cryptomining, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
index c919710c6..8f35b591a 100644
--- a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Key Vault", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
index 44d5f4e6b..5f14bb968 100644
--- a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius, FreeRADIUS Failed Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication, Login Brute-Force On FreeRadius"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
index 895cbaeca..c539b0ad2 100644
--- a/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Juniper Networks Switches [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Juniper Networks Switches", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
index f983f5562..abc566723 100644
--- a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
index 0e56f9996..df7a0a362 100644
--- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Cloud One High Intrusion, Trend Micro Cloud One Low Intrusion, Trend Micro Cloud One Medium Intrusion"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Aspnet Compiler, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, HTA Infection Chains, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, OneNote Suspicious Children Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Cloud One Low Intrusion, Trend Micro Cloud One High Intrusion, Trend Micro Cloud One Medium Intrusion"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Aspnet Compiler, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Msiexec Via Repair Functionality, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, ISO LNK Infection Chain, Malspam Execution Registering Malicious DLL, HTA Infection Chains, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b502e522-6996-4b12-9538-f69326b68243_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b502e522-6996-4b12-9538-f69326b68243_do_not_edit_manually.json
index face3b15f..9bf96cc6a 100644
--- a/_shared_content/operations_center/detection/generated/attack_b502e522-6996-4b12-9538-f69326b68243_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b502e522-6996-4b12-9538-f69326b68243_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Singularity Identity [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Screenconnect Remote Execution, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, New Service Creation, Smss Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, OneNote Suspicious Children Process, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, New Service Creation, Smss Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, OneNote Suspicious Children Process, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Windows Update LolBins, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Exfiltration Via Pscp, OneNote Suspicious Children Process, Svchost Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, System Network Connections Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Singularity Identity [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Cryptomining, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, ISO LNK Infection Chain, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, HTA Infection Chains, Microsoft Office Spawning Script, Suspicious Outlook Child Process, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, Empire Monkey Activity, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Smss Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Smss Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Svchost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Svchost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Winlogon wrong parent, Exfiltration Via Pscp, Taskhost Wrong Parent, PsExec Process, Lsass Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Impacket Wmiexec Module, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
index 98b507a83..065d2f640 100644
--- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
index 9d2e10bfb..0ee6364e9 100644
--- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Trellix Network Security Threat Blocked, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Trellix Network Security Threat Notified, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Trellix Network Security Threat Notified, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Trellix Network Security Threat Blocked, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Adidnsdump Enumeration"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
index 0fe39ff08..c0643ce23 100644
--- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ v102", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Gatewatcher AionIQ Malware Alert, Gatewatcher AionIQ Network Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ v102", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Correlation Block actions, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Potential LokiBot User-Agent, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Gatewatcher AionIQ Malware Alert, SEKOIA.IO Intelligence Feed, Gatewatcher AionIQ Network Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
index 17ba3468e..7c7bc8257 100644
--- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
index 26a54a89c..5cf0635da 100644
--- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
index 5b778e089..dcb3e6329 100644
--- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Malicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Trickbot Malware Activity, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Aspnet Compiler, Suspicious Windows Script Execution, Linux Bash Reverse Shell, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Suspicious File Name, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, PowerShell Credential Prompt, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Mimikatz Basic Commands, Malicious Service Installations, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Suspicious desktop.ini Action, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, SELinux Disabling, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled Service, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack, TrustedInstaller Impersonation, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, SELinux Disabling, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled Service, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, NetNTLM Downgrade Attack, TrustedInstaller Impersonation, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Cookies Deletion, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, User Added to Local Administrators, Mimikatz Basic Commands, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Correlation Potential DNS Tunnel, Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Cryptomining, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Chafer (APT 39) Activity, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Chafer (APT 39) Activity, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Smbexec.py Service Installation, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Windows Update LolBins, Searchprotocolhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Microsoft Defender Antivirus Threat Detected, Taskhostw Wrong Parent, Exfiltration Via Pscp, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, SolarWinds Suspicious File Creation, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Smbexec.py Service Installation, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, RDP Sensitive Settings Changed, Windows Defender Logging Modification Via Registry, Ursnif Registry Key, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, Disabling SmartScreen Via Registry, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, DHCP Callout DLL Installation, Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, RDP Port Change Using Powershell, LanManServer Registry Modify"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, RDP Login From Localhost, Smbexec.py Service Installation, RDP Port Change Using Powershell, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, User Added to Local Administrators, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Register New Logon Process, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Unsigned Driver Loaded From Suspicious Location, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, Mshta Suspicious Child Process, PowerShell EncodedCommand, Python Offensive Tools and Packages, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, PowerShell Credential Prompt, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, Microsoft Defender Antivirus Threat Detected, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Aspnet Compiler, PowerShell Malicious PowerShell Commandlets, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, WAF Correlation Block actions, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Copying Browser Files With Credentials, Malicious Service Installations, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, TrustedInstaller Impersonation, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disabled Service, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Defender Deactivation Using PowerShell Script, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, TrustedInstaller Impersonation, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, SELinux Disabling, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disabled Service, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Cron Files Alteration, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Cookies Deletion, Compression Followed By Suppression, Microsoft Defender Antivirus History Deleted, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Add User to Privileged Group, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Mimikatz Basic Commands"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Chafer (APT 39) Activity, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Chafer (APT 39) Activity, Sliver DNS Beaconing, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Adidnsdump Enumeration"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Chafer (APT 39) Activity, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Chafer (APT 39) Activity, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Smbexec.py Service Installation, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Malicious Service Installations, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Smbexec.py Service Installation, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Malicious Service Installations, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Exfiltration Via Pscp, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Malicious PowerShell Keywords, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, PowerShell Malicious PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, RDP Port Change Using Powershell, FlowCloud Malware, Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, Suspicious New Printer Ports In Registry, Disable Workstation Lock, Suspicious Desktopimgdownldr Execution, Blue Mockingbird Malware, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, LanManServer Registry Modify, Ursnif Registry Key, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, RDP Port Change Using Powershell, RDP Login From Localhost, Smbexec.py Service Installation, MMC20 Lateral Movement"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Account Added To A Security Enabled Group, Admin User RDP Remote Logon, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Unsigned Driver Loaded From Suspicious Location, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
index 4306ec98f..80155bd98 100644
--- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
index 3e372b8cc..1f92d1e31 100644
--- a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
index 4830a9c97..f5d3acd4a 100644
--- a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
index d8b0920bd..02423f200 100644
--- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS Inbox Hiding, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, ZIP LNK Infection Chain, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Mass Download By A Single User, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, HTA Infection Chains, Microsoft 365 (Office 365) MCAS Repeated Delete, Download Files From Suspicious TLDs, ISO LNK Infection Chain, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Filter Policy Removed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 Security and Compliance Center Medium Severity Alert, Possible Malicious File Double Extension, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Mass Download By A Single User, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 Security and Compliance Center High Severity Alert, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, RDP Configuration File From Mail Process, Suspicious Double Extension, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) MCAS Repeated Delete, Suspicious Email Attachment Received, Download Files From Suspicious TLDs, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Filter Policy Removed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Microsoft 365 Sign-in With No User Agent, Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Microsoft 365 Sign-in With No User Agent, Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Email Attachment Received, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Download Links From Legitimate Services, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Microsoft 365 Authenticated Activity From Tor IP Address, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Microsoft 365 Authenticated Activity From Tor IP Address, TOR Usage Generic Rule"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address, Entra ID Consent Attempt to Suspicious OAuth Application, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Aspnet Compiler, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification, Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification, Domain Trust Created Or Removed"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Filter Policy Removed, ISO LNK Infection Chain, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) AtpDetection, HTA Infection Chains, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) DLP Policy Removed, ZIP LNK Infection Chain, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS Repeated Failed Login"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Filter Policy Removed, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Suspicious Double Extension, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 Security and Compliance Center Medium Severity Alert, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Mass Download By A Single User, Possible Malicious File Double Extension, Microsoft 365 (Office 365) AtpDetection, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Suspicious Download Links From Legitimate Services, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Suspicious Email Attachment Received, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, RDP Configuration File From Mail Process, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Microsoft 365 Security and Compliance Center High Severity Alert, Microsoft 365 (Office 365) MCAS Repeated Failed Login"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA), Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA)"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Email Attachment Received, RDP Configuration File From Mail Process, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Download Links From Legitimate Services, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Microsoft 365 Authenticated Activity From Tor IP Address, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Microsoft 365 Authenticated Activity From Tor IP Address, TOR Usage Generic Rule"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler, Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
index c3e31680e..a0d80c0ee 100644
--- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
index be831dec1..09b86ffb9 100644
--- a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d11df984-840d-4c29-a6dc-b9195c3a24e3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d11df984-840d-4c29-a6dc-b9195c3a24e3_do_not_edit_manually.json
index 360f6fe4e..cb33f5795 100644
--- a/_shared_content/operations_center/detection/generated/attack_d11df984-840d-4c29-a6dc-b9195c3a24e3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d11df984-840d-4c29-a6dc-b9195c3a24e3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Bitdefender GravityZone [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Bitdefender GravityZone Endpoint Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Bitdefender GravityZone Endpoint Detection, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Bitdefender GravityZone Endpoint Detection, SolarWinds Wrong Child Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Bitdefender GravityZone [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bitdefender GravityZone Endpoint Detection, Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Bitdefender GravityZone Endpoint Detection"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Bitdefender GravityZone Endpoint Detection, SolarWinds Wrong Child Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
index 4eb89ccaf..9e4bcff46 100644
--- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
index 8109c9f37..3c045c2cb 100644
--- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cryptomining, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
index d47c65e3f..623373522 100644
--- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM ChangePassword, AWS CloudTrail Remove Flow logs, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail Important Change, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail Disable MFA, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail EC2 Security Group Modified"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Policy Changed, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail S3 Bucket Replication"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Failed User Creation, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Important Change, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail Disable MFA, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail Remove Flow logs, AWS CloudTrail EventBridge Rule Disabled Or Deleted"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1537", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, Backup Catalog Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1580", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1619", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail Important Change, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail GuardDuty Detector Suspended"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Attempt"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Root ConsoleLogin, Password Change On Directory Service Restore Mode (DSRM) Account, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Attempt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Disable MFA, AWS CloudTrail Important Change, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM CreateOpenIDConnectProvider"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Change Master Password, AWS CloudTrail RDS Public DB Restore"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup, User Account Created"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1537", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1580", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1619", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
index 795c530bd..84ff43efa 100644
--- a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
index 7336cdcfa..3c20bbe2d 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
index e4905c87c..69f467d18 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
index 73bc88866..47f8053c7 100644
--- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Authentication Impossible Travel, Account Added To A Security Enabled Group"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On WatchGuard Firebox"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On WatchGuard Firebox"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Authentication Impossible Travel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On WatchGuard Firebox"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On WatchGuard Firebox"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
index d542b834c..d44de38b2 100644
--- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
index aff659756..e4f3ad984 100644
--- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Zscaler ZIA Malicious Threat, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Zscaler ZIA Malicious Threat, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Cryptomining, Dynamic DNS Contacted, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Sliver DNS Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Zscaler ZIA Malicious Threat, Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Zscaler ZIA Malicious Threat, Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cobalt Strike DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Sliver DNS Beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cryptomining, Dynamic DNS Contacted, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
index 588ce413a..7036ea319 100644
--- a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Systancia Cleanroom", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
index 129b4e89b..f646a50f7 100644
--- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Netskope Successful Brute Force On Protected Applications, Netskope Successful Brute-Force On Management Console, Netskope Potential Brute Force On Protected Applications"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Malware Patient Zero Detected, Netskope Malware Detected, Netskope Potential Brute Force On Protected Applications, Netskope Successful Brute Force On Protected Applications, Netskope Successful Brute-Force On Management Console, Netskope Web Isolation On Suspicious Domain, Netskope Admin Audit High Severity"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alerts Compliance"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Web Isolation On Suspicious Domain, Netskope Malware Patient Zero Detected, Netskope Malware Detected, Netskope Admin Audit High Severity"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Netskope Successful Brute Force On Protected Applications, Netskope Potential Brute Force On Protected Applications, Netskope Successful Brute-Force On Management Console"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit High Severity, Netskope Successful Brute Force On Protected Applications, Netskope Successful Brute-Force On Management Console, Netskope Web Isolation On Suspicious Domain, Netskope Malware Detected, Netskope Potential Brute Force On Protected Applications, Netskope Malware Patient Zero Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alerts Compliance, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit High Severity, Netskope Web Isolation On Suspicious Domain, Netskope Malware Patient Zero Detected, Netskope Malware Detected"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
index 913ddb85e..16a1fc422 100644
--- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
index 11959970c..159ed2a2f 100644
--- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, SEKOIA.IO Intelligence Feed, Malware Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (W2 Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Suspicious Email Attachment Received, Spearphishing (CEO Fraud) Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Malware Detected By Vade For M365, Suspicious Email Attachment Received, Spam Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (Lawyer Fraud) Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
index 1f7ede55f..59edefbe6 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Admin Privilege Granted, Okta Application deleted, Okta Application modified, Okta User Impersonation Access, Okta User Account Deactivated"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta Network Zone Modified, Okta Blacklist Manipulations, Okta Security Threat Configuration Updated, Okta MFA Disabled"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App, Okta Many Passwords Reset Attempt"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta Network Zone Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Okta User Logged In Multiple Applications, Okta User Logged In From Multiple Countries"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Application deleted, Okta Application modified, Okta Admin Privilege Granted, Okta User Account Deactivated, Okta User Impersonation Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Security Threat Configuration Updated, Okta Blacklist Manipulations, Okta Network Zone Deleted, Okta Network Zone Deactivated, Okta MFA Disabled, Okta Network Zone Modified"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Many Passwords Reset Attempt, Okta Suspicious Activity Reported"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta Network Zone Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Okta User Logged In From Multiple Countries, Okta User Logged In Multiple Applications"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Okta MFA Brute-Force Successful, Login Brute-Force Successful On Okta"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Okta MFA Brute-Force Successful, Login Brute-Force Successful On Okta"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
index 09d1da920..e20ecaec2 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Venom Multi-hop Proxy agent detection, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, SELinux Disabling, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, SELinux Disabling, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Equation Group DLL_U Load, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Windows Defender Logging Modification Via Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, OneNote Suspicious Children Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, WMIC Uninstall Product, PowerShell Commands Invocation, PowerShell EncodedCommand, Python Offensive Tools and Packages, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, FromBase64String Command Line, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious File Name, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disabled Service, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, SELinux Disabling, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disabled Service, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Compression Followed By Suppression, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Microsoft Office Macro Security Registry Modifications, Leviathan Registry Key Activity, Malware Persistence Registry Key, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Allowed Python Program"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
index 206c03790..c4ed98c3b 100644
--- a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
index 080a4662e..f79b82a76 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Nimbo-C2 User Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Information Stealer Downloading Legitimate Third-Party DLLs, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
index 625b821a7..07517602b 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
index b6ad5b8d2..3c0395d6a 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
index 346cfd036..4b86554c0 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
index bd01d3008..16361b05d 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
index f5ef051c0..21f6fc9f3 100644
--- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
index 99d1f2e5d..97c82bbd9 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Correlation Supicious Powershell Drop and Exec, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Spawning Script, Suspicious PowerShell Keywords, Trickbot Malware Activity, Mustang Panda Dropper, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Suspicious Windows Script Execution, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, PowerShell Invoke Expression With Registry, Interactive Terminal Spawned via Python, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, PowerShell Download From URL, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process, Elise Backdoor"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Trace Alteration, Process Memory Dump Using Createdump, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Opening Of a Password File"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, Eventlog Cleared, High Privileges Network Share Removal"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, NetNTLM Downgrade Attack, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, NetNTLM Downgrade Attack, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Address Space Layout Randomization (ASLR) Alteration, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FLTMC command usage, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Elevated Msiexec Via Repair Functionality, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation, Correlation Priv Esc Via Remote Thread"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, Network Scanning and Discovery"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Possible Malicious File Double Extension, RTLO Character, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Internet Scanner Target, Remote System Discovery Via Telnet, Internet Scanner, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Suspicious New Printer Ports In Registry, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, ZIP LNK Infection Chain, Winword Document Droppers, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, HTA Infection Chains, Stormshield Ses Emergency Block, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, ISO LNK Infection Chain, Stormshield Ses Critical Not Block, Sysmon Windows File Block Executable, Stormshield Ses Critical Block, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, xWizard Execution, Control Panel Items, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, CMSTP Execution, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Control Process"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, New Service Creation, Taskhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Windows Update LolBins, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Microsoft Defender Antivirus Threat Detected, Exfiltration Via Pscp, OneNote Suspicious Children Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Suspicious DNS Child Process, Smss Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, PsExec Process, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Child Found, Usage Of Sysinternals Tools"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Correlation Supicious Powershell Drop and Exec, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Invoke Expression With Registry, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Windows Firewall Changes"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disabling SmartScreen Via Registry, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, Windows Defender Logging Modification Via Registry, LanManServer Registry Modify, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Ntfsinfo Usage, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Fingerprint Commands, WMIC Uninstall Product, WMI Install Of Binary, Wmic Service Call, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Wmic Process Call Creation, Invoke-TheHash Commandlets"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Screenconnect Remote Execution, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, Lazarus Loaders, Web Application Launching Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, WMI Event Subscription, Change Default File Association, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Gpresult Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Socat Reverse Shell Detection, WMIC Uninstall Product, PowerShell Commands Invocation, Mshta Suspicious Child Process, PowerShell EncodedCommand, Generic-reverse-shell-oneliner, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Web Application Launching Shell, FromBase64String Command Line, Screenconnect Remote Execution, Microsoft Defender Antivirus Threat Detected, MalwareBytes Uninstallation, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Mustang Panda Dropper, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Elise Backdoor, Suspicious Cmd.exe Command Line, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, Windows Credential Editor Registry Key, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Mimikatz Basic Commands, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, WMI Fingerprint Commands, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Discovery Commands Correlation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Container Credential Access, Linux Suspicious Search, Outlook Registry Access, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Compression Followed By Suppression, Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Malware Protection Engine Crash, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, WMIC Uninstall Product, Dism Disabling Windows Defender, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Malware Protection Engine Crash, Raccine Uninstall, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, Fail2ban Unban IP, NetSh Used To Disable Windows Firewall, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Powershell AMSI Bypass, Netsh RDP Port Opening, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Allowed Python Program, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Netsh Port Opening, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Elevated Msiexec Via Repair Functionality, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Correlation Priv Esc Via Remote Thread, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, Shell PID Injection"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Reconnaissance Commands Activities, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1, Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Adidnsdump Enumeration, System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Download Files From Suspicious TLDs, Antivirus Password Dumper Detection, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Stormshield Ses Critical Block, Stormshield Ses Critical Not Block, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, HTA Infection Chains, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Stormshield Ses Emergency Block, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Suspicious Windows Installer Execution, xWizard Execution, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, Suspicious Control Process, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Svchost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Exfiltration Via Pscp, Taskhost Wrong Parent, PsExec Process, Mshta Command From A Scheduled Task, Lsass Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Screenconnect Remote Execution, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, WMImplant Hack Tool, Suspicious Taskkill Command, Powershell Web Request, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh Allow Command"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, Suspicious New Printer Ports In Registry, Suspicious Desktopimgdownldr Execution, Ursnif Registry Key, FlowCloud Malware, Windows Defender Logging Modification Via Registry, DNS ServerLevelPluginDll Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Blue Mockingbird Malware, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, LanManServer Registry Modify"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMI Fingerprint Commands, Impacket Wmiexec Module, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Web Application Launching Shell, Screenconnect Remote Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, Mustang Panda Dropper"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Component Object Model Hijacking, WMI Event Subscription, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Msiexec Via Repair Functionality, Elevated Shell Launched By Browser"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
index 785bcf2c5..d56ad2ff6 100644
--- a/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x EfficientIP SOLIDServer DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cryptomining, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: EfficientIP SOLIDServer Suspicious Behavior"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x EfficientIP SOLIDServer DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: EfficientIP SOLIDServer Suspicious Behavior"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
index 1749a48ea..71f72b0c2 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Aspnet Compiler, Suspicious File Name"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, HTA Infection Chains, ZIP LNK Infection Chain"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM iSeries", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler, Microsoft Office Creating Suspicious File, Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
index 88754f6f0..8b7289196 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cryptomining, Potential LokiBot User-Agent, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
index af2c7720a..de2b5ffe4 100644
--- a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cobalt Strike HTTP Default POST Beaconing, Cryptomining, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Dynamic DNS Contacted, Nimbo-C2 User Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
index 7b7aedccd..5ddbe0e03 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Changelog _last update on 2025-02-17_
+Changelog _last update on 2025-02-25_
 
 ## Changelog
 
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
index 5941b92ca..626baa36f 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Rules catalog includes **996 built-in detection rules** ([_last update on 2025-02-17_](rules_changelog.md)).
+Rules catalog includes **996 built-in detection rules** ([_last update on 2025-02-25_](rules_changelog.md)).
 ## Reconnaissance
 **Gather Victim Identity Information**
 
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.md
index 92ad0bbe4..d9c0a7a5e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Mimecast Email Security [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Mimecast Email Security**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Mimecast Email Security [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Mimecast Email Security on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
     
     Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.md
index d8d9758c8..ac20b450c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **1Password EPM [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **1Password EPM**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x 1Password EPM [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x 1Password EPM on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json){ .md-button }
 ??? abstract "1Password EPM Brute Force"
     
     Detects multiple failed login followed by a success from the same user.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.md
index 1ea386bc0..e45098d26 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Daspren Parad [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Daspren Parad**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Daspren Parad [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Daspren Parad on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json){ .md-button }
 ??? abstract "Active Directory Data Export Using Csvde"
     
     Detects the use of Csvde, a command-line tool from Windows Server that can be used to export Active Directory data to CSV files. This export doesn't include password hashes, but can be used as a discovery tool to enumerate users, machines and group memberships.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_23d06c74-9311-4d56-b2ac-5d70c0b322fc_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_23d06c74-9311-4d56-b2ac-5d70c0b322fc_do_not_edit_manually.md
new file mode 100644
index 000000000..33e058202
--- /dev/null
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_23d06c74-9311-4d56-b2ac-5d70c0b322fc_do_not_edit_manually.md
@@ -0,0 +1 @@
+No related built-in rules was found. This message is automatically generated.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.md
index 3398ec998..bc72ce21d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.md
@@ -3,90 +3,24 @@
 The following Sekoia.io built-in rules match the intake **Cisco ESA**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cisco ESA on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json){ .md-button }
-??? abstract "Active Directory Data Export Using Csvde"
-    
-    Detects the use of Csvde, a command-line tool from Windows Server that can be used to export Active Directory data to CSV files. This export doesn't include password hashes, but can be used as a discovery tool to enumerate users, machines and group memberships.
-    
-    - **Effort:** elementary
-
-??? abstract "AdFind Usage"
-    
-    Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory.  Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects 
-    
-    - **Effort:** elementary
-
-??? abstract "Adexplorer Usage"
-    
-    Detects the usage of Adexplorer, a legitimate tool from the Sysinternals suite that could be abused by attackers as it can saves snapshots of the Active Directory Database.
-    
-    - **Effort:** advanced
-
-??? abstract "Adidnsdump Enumeration"
-    
-    Detects use of the tool adidnsdump for enumeration and discovering DNS records.
-    
-    - **Effort:** advanced
-
-??? abstract "Advanced IP Scanner"
-    
-    Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
-    
-    - **Effort:** master
-
 ??? abstract "Bazar Loader DGA (Domain Generation Algorithm)"
     
     Detects Bazar Loader domains based on the Bazar Loader DGA
     
     - **Effort:** elementary
 
-??? abstract "Bloodhound and Sharphound Tools Usage"
-    
-    Detects default process names and default command line parameters used by Bloodhound and Sharphound tools.
-    
-    - **Effort:** intermediate
-
 ??? abstract "Burp Suite Tool Detected"
     
     Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).
     
     - **Effort:** intermediate
 
-??? abstract "CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"
-    
-    Detects the exploitation of CVE-2017-11882 vulnerability. The Microsoft Office Equation Editor has no reason to do a network request or drop an executable file. This requires a sysmon configuration with file and network events.
-    
-    - **Effort:** master
-
-??? abstract "CVE-2018-11776 Apache Struts2"
-    
-    Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
-    
-    - **Effort:** intermediate
-
-??? abstract "CVE-2019-0604 SharePoint"
-    
-    Detects the exploitation of the SharePoint vulnerability (CVE-2019-0604).
-    
-    - **Effort:** advanced
-
 ??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit"
     
     Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA.
     
     - **Effort:** elementary
 
-??? abstract "CVE-2020-1147 SharePoint"
-    
-    Detection of SharePoint vulnerability CVE-2020-1147.
-    
-    - **Effort:** advanced
-
-??? abstract "CVE-2020-14882 Oracle WebLogic Server"
-    
-    Detects the exploitation of the Oracle WebLogic Server vulnerability (CVE-2020-16952).
-    
-    - **Effort:** advanced
-
 ??? abstract "CVE-2020-17530 Apache Struts RCE"
     
     Detects the exploitation of the Apache Struts RCE vulnerability (CVE-2020-17530).
@@ -105,90 +39,24 @@ The following Sekoia.io built-in rules match the intake **Cisco ESA**. This docu
     
     - **Effort:** advanced
 
-??? abstract "CVE-2021-21972 VMware vCenter"
-    
-    The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). POST request on the following PATH "/ui/vropspluginui/rest/services/uploadova". If in response body (500) the words it has "uploadFile", that means the vCenter is available to accept files via POST without any restrictions.
-    
-    - **Effort:** intermediate
-
-??? abstract "CVE-2021-21985 VMware vCenter"
-    
-    The VMware vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.0 before 7.0 U2b, 6.7 before 6.7 U3n and 6.5 before 6.5 U3p) and VMware Cloud Foundation (4.x before 4.2.1 and 3.x before 3.10.2.1).
-    
-    - **Effort:** advanced
-
-??? abstract "CVE-2021-22123 Fortinet FortiWeb OS Command Injection"
-    
-    Detects Fortinet FortiWeb OS Command Injection (August 2021) vulnerability exploitation attempt. A remote, authenticated attacker can execute arbitrary commands on the system hosting a vulnerable FortiWeb WAF by sending a POST request with the command in the name field. At the time of writing this rule, it would appear that the request would respond in code 500 for a successful exploitation attempt.
-    
-    - **Effort:** advanced
-
 ??? abstract "CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"
     
     Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product.
     
     - **Effort:** intermediate
 
-??? abstract "CVE-2021-26855 Exchange SSRF"
-    
-    Detects the exploitation of ProyxLogon vulerability on Exchange servers.
-    
-    - **Effort:** advanced
-
-??? abstract "CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"
-    
-    Detects suspicious image loads and file creations from the spoolsv process which could be a sign of an attacker trying to exploit the PrintNightmare vulnerability, CVE-2021-34527. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This works as well as a Local Privilege escalation vulnerability. To fully work the rule requires to log for Loaded DLLs and File Creations, which can be done respectively using the Sysmon's event IDs 7 and 11.
-    
-    - **Effort:** master
-
-??? abstract "Certificate Authority Modification"
-    
-    Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations.
-    
-    - **Effort:** master
-
-??? abstract "Certify Or Certipy"
-    
-    Detects the use of certify and certipy which are two different tools used to enumerate and abuse Active Directory Certificate Services.
-    
-    - **Effort:** advanced
-
-??? abstract "Cobalt Strike Default Beacons Names"
-    
-    Detects the default names of Cobalt Strike beacons / payloads.
-    
-    - **Effort:** intermediate
-
-??? abstract "Correlation Potential DNS Tunnel"
-    
-    Detects domain name which is longer than 62 characters and requested at least 50 times in a 10 minutes range time. Long domain names are distinctive of DNS tunnels.
-    
-    - **Effort:** advanced
-
 ??? abstract "Covenant Default HTTP Beaconing"
     
     Detects potential Covenant communications through the user-agent and specific urls
     
     - **Effort:** intermediate
 
-??? abstract "Credential Dump Tools Related Files"
-    
-    Detects processes or file names related to credential dumping tools and the dropped files they generate by default.
-    
-    - **Effort:** advanced
-
 ??? abstract "Cryptomining"
     
     Detection of domain names potentially related to cryptomining activities.
     
     - **Effort:** master
 
-??? abstract "DNS Query For Iplookup"
-    
-    Detects dns query of observables tagged as iplookup.
-    
-    - **Effort:** master
-
 ??? abstract "Detect requests to Konni C2 servers"
     
     This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September.
@@ -219,126 +87,24 @@ The following Sekoia.io built-in rules match the intake **Cisco ESA**. This docu
     
     - **Effort:** intermediate
 
-??? abstract "Exfiltration And Tunneling Tools Execution"
-    
-    Execution of well known tools for data exfiltration and tunneling
-    
-    - **Effort:** advanced
-
 ??? abstract "Exfiltration Domain"
     
     Detects traffic toward a domain flagged as a possible exfiltration vector.
     
     - **Effort:** master
 
-??? abstract "FoggyWeb HTTP Default GET/POST Requests"
-    
-    Detects GET or POST request pattern observed within the first FoggyWeb campaign detected by Microsoft.
-    
-    - **Effort:** advanced
-
-??? abstract "HTA Infection Chains"
-    
-    Detect the creation of a ZIP file and an HTA file as it is often used in infection chains. Furthermore it also detects the use of suspicious processes launched by explorer.exe combined with the creation of an HTA file, since it is also often used in infection chains (LNK - HTA for instance).
-    
-    - **Effort:** advanced
-
-??? abstract "HackTools Suspicious Names"
-    
-    Quick-win rule to detect the default process names or file names of several HackTools.
-    
-    - **Effort:** elementary
-
-??? abstract "Hijack Legit RDP Session To Move Laterally"
-    
-    Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.
-    
-    - **Effort:** intermediate
-
-??? abstract "ISO LNK Infection Chain"
-    
-    Detection of an ISO (or any other similar archive file) downloaded file, followed by a child-process of explorer, which is characteristic of an infection using an ISO containing an LNK file. For events with `host.name`.
-    
-    - **Effort:** intermediate
-
-??? abstract "Kernel Module Alteration"
-    
-    Kernel module installation can be used to configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. The prerequisites are to enable monitoring of the finit_module, init_module, delete_module syscalls using Auditbeat.
-    
-    - **Effort:** advanced
-
 ??? abstract "Koadic MSHTML Command"
     
     Detects Koadic payload using MSHTML module
     
     - **Effort:** intermediate
 
-??? abstract "Microsoft Exchange Server Creating Unusual Files"
-    
-    Look for Microsoft Exchange Server’s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability
-    
-    - **Effort:** intermediate
-
-??? abstract "Microsoft Office Creating Suspicious File"
-    
-    Detects Microsoft Office process (word, excel, powerpoint) creating a suspicious file which corresponds to a script or an executable. This behavior highly corresponds to an executed macro which loads an installation script or a malware payload. The rule requires to log for File Creations to work properly, which can be done through Sysmon Event ID 11.
-    
-    - **Effort:** master
-
-??? abstract "NTDS.dit File In Suspicious Directory"
-    
-    The file NTDS.dit is supposed to be located mainly in C:\Windows\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.
-    
-    - **Effort:** advanced
-
-??? abstract "Network Scanning and Discovery"
-    
-    Tools and command lines used for network discovery from current system
-    
-    - **Effort:** advanced
-
-??? abstract "Network Sniffing"
-    
-    List of common tools used for network packages sniffing
-    
-    - **Effort:** advanced
-
-??? abstract "Network Sniffing Windows"
-    
-    Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
-    
-    - **Effort:** intermediate
-
 ??? abstract "Nimbo-C2 User Agent"
     
     Nimbo-C2 Uses an unusual User-Agent format in its implants.
     
     - **Effort:** intermediate
 
-??? abstract "NlTest Usage"
-    
-    Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. These command lines were observed in numerous attacks, but also sometimes from legitimate administrators for debugging purposes. The rule does not cover very basics commands but rather the ones that are interesting for attackers to gather information on a domain.
-    
-    - **Effort:** advanced
-
-??? abstract "OneNote Embedded File"
-    
-    Detects creation or uses of OneNote embedded files with unusual extensions.  
-    
-    - **Effort:** intermediate
-
-??? abstract "OneNote Suspicious Children Process"
-    
-    In January 2023, a peak of attacks using .one files was observed in the wild. This rule tries to detect the effect of such attempts using this technique.
-    
-    - **Effort:** advanced
-
-??? abstract "PasswordDump SecurityXploded Tool"
-    
-    Detects the execution of the PasswordDump SecurityXploded Tool
-    
-    - **Effort:** elementary
-
 ??? abstract "Possible Malicious File Double Extension"
     
     Detects request to potential malicious file with double extension
@@ -351,60 +117,18 @@ The following Sekoia.io built-in rules match the intake **Cisco ESA**. This docu
     
     - **Effort:** elementary
 
-??? abstract "Potential DNS Tunnel"
-    
-    Detects domain name which is longer than 62 characters. Long domain names are distinctive of DNS tunnels.
-    
-    - **Effort:** advanced
-
 ??? abstract "Potential Lemon Duck User-Agent"
     
     Detects LemonDuck user agent. The format used two sets of alphabetical characters separated by dashes, for example "User-Agent: Lemon-Duck-[A-Z]-[A-Z]".
     
     - **Effort:** elementary
 
-??? abstract "Potential LokiBot User-Agent"
-    
-    Detects potential LokiBot communications through the user-agent
-    
-    - **Effort:** intermediate
-
-??? abstract "Privilege Escalation Awesome Scripts (PEAS)"
-    
-    Detect PEAS privileges escalation scripts and binaries
-    
-    - **Effort:** elementary
-
-??? abstract "Process Trace Alteration"
-    
-    PTrace syscall provides a means by which one process ("tracer") may observe and control the execution of another process ("tracee") and examine and change the tracee's memory and registers. Attacker might want to abuse ptrace functionnality to analyse memory process. It requires to be admin or set ptrace_scope to 0 to allow all user to trace any process.
-    
-    - **Effort:** advanced
-
 ??? abstract "ProxyShell Microsoft Exchange Suspicious Paths"
     
     Detects suspicious calls to Microsoft Exchange resources, in locations related to webshells observed in campaigns using this vulnerability.
     
     - **Effort:** elementary
 
-??? abstract "PsExec Process"
-    
-    Detects PsExec execution, command line which contains pstools or installation of the PsExec service. PsExec is a SysInternals which can be used to execute a program on another computer. The tool is as much used by attackers as by administrators. 
-    
-    - **Effort:** advanced
-
-??? abstract "RDP Session Discovery"
-    
-    Detects use of RDP session discovery via qwinsta or quser. Used by some threat actors to know if someone is working via RDP on a server.
-    
-    - **Effort:** advanced
-
-??? abstract "RTLO Character"
-    
-    Detects RTLO (Right-To-Left character) in file and process names.
-    
-    - **Effort:** elementary
-
 ??? abstract "Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"
     
     Detects Raccoon Stealer 2.0 malware downloading legitimate third-party DLLs from its C2 server. These legitimate DLLs are used by the information stealer to collect data on the compromised hosts.
@@ -423,12 +147,6 @@ The following Sekoia.io built-in rules match the intake **Cisco ESA**. This docu
     
     - **Effort:** master
 
-??? abstract "Remote Monitoring and Management Software - Atera"
-    
-    Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool Atera.
-    
-    - **Effort:** master
-
 ??? abstract "SEKOIA.IO Intelligence Feed"
     
     Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
@@ -441,48 +159,12 @@ The following Sekoia.io built-in rules match the intake **Cisco ESA**. This docu
     
     - **Effort:** master
 
-??? abstract "SolarWinds Suspicious File Creation"
-    
-    Detects SolarWinds process creating a file with a suspicious extension. The process solarwinds.businesslayerhost.exe created an unexpected file whose extension is ".exe", ".ps1", ".jpg", ".png" or ".dll".
-    
-    - **Effort:** intermediate
-
-??? abstract "Suspicious Desktopimgdownldr Execution"
-    
-    Detects a suspicious Desktopimgdownldr execution. Desktopimgdownldr.exe is a Windows binary used to configure lockscreen/desktop image and can be abused to download malicious file.
-    
-    - **Effort:** intermediate
-
-??? abstract "Suspicious Double Extension"
-    
-    Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spearphishing campaigns
-    
-    - **Effort:** advanced
-
 ??? abstract "Suspicious Download Links From Legitimate Services"
     
     Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.
     
     - **Effort:** intermediate
 
-??? abstract "Suspicious Email Attachment Received"
-    
-    Detects email containing a suspicious file as an attachment, based on its extension.
-    
-    - **Effort:** advanced
-
-??? abstract "Suspicious File Name"
-    
-    Detects suspicious file name possibly linked to malicious tool.
-    
-    - **Effort:** advanced
-
-??? abstract "Suspicious PROCEXP152.sys File Created In Tmp"
-    
-    Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
-    
-    - **Effort:** advanced
-
 ??? abstract "Suspicious TOR Gateway"
     
     Detects suspicious TOR gateways. Gateways are often used by the victim to pay and decrypt the encrypted files without installing TOR. Tor intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
@@ -495,50 +177,14 @@ The following Sekoia.io built-in rules match the intake **Cisco ESA**. This docu
     
     - **Effort:** intermediate
 
-??? abstract "Suspicious Windows DNS Queries"
-    
-    Detects a suspicious Windows command-line process making a DNS query via known abuse text paste web services. This is based on Microsoft Windows Sysmon events (Event ID 22).
-    
-    - **Effort:** advanced
-
-??? abstract "System Info Discovery"
-    
-    System info discovery, attempt to detects basic command use to fingerprint a host.
-    
-    - **Effort:** master
-
 ??? abstract "TOR Usage Generic Rule"
     
     Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
     
     - **Effort:** master
 
-??? abstract "Telegram Bot API Request"
-    
-    Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
-    
-    - **Effort:** advanced
-
 ??? abstract "TrevorC2 HTTP Communication"
     
     Detects TrevorC2 HTTP communication based on the HTTP request URI and the user-agent. 
     
     - **Effort:** elementary
-
-??? abstract "WCE wceaux.dll Creation"
-    
-    Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.
-    
-    - **Effort:** intermediate
-
-??? abstract "WMI Persistence Script Event Consumer File Write"
-    
-    Detects file writes through WMI script event consumer.
-    
-    - **Effort:** advanced
-
-??? abstract "Webshell Creation"
-    
-    Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.
-    
-    - **Effort:** master
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.md
index b34138758..30619485e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **ESET Protect [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **ESET Protect**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x ESET Protect [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x ESET Protect on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json){ .md-button }
 ??? abstract "Active Directory Data Export Using Csvde"
     
     Detects the use of Csvde, a command-line tool from Windows Server that can be used to export Active Directory data to CSV files. This export doesn't include password hashes, but can be used as a discovery tool to enumerate users, machines and group memberships.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.md
index 6494f7d42..d27d7d014 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Sesame it Jizo NDR**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Jizo AI / Sesame it NDR**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Sesame it Jizo NDR on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Jizo AI / Sesame it NDR on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json){ .md-button }
 ??? abstract "Alert High Severity Sesame it Jizo NDR"
     
     Detects a high severity alert raised by SesameIT.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.md
index 2bc87151f..ebe5ae37a 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Google Cloud Load Balancing [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Google Cloud Load Balancing**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Google Cloud Load Balancing [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Google Cloud Load Balancing on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
     
     Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.md
index e9f67561c..818088b0c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Clavister NGFW [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Clavister NGFW**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Clavister NGFW [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Clavister NGFW on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json){ .md-button }
 ??? abstract "Account Added To A Security Enabled Group"
     
     Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.md
index d9711bc10..4d12387a9 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Azure Application Gateway [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Azure Application Gateway**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Azure Application Gateway [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Azure Application Gateway on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
     
     Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.md
index 4099b6de9..807b3166e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Thinkst Canary [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Thinkst Canary**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Thinkst Canary [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Thinkst Canary on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json){ .md-button }
 ??? abstract "Account Added To A Security Enabled Group"
     
     Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.md
index f95f6084e..1faf65432 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Ubika Cloud Protector Traffic [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Ubika Cloud Protector Traffic**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Ubika Cloud Protector Traffic [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Ubika Cloud Protector Traffic on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json){ .md-button }
 ??? abstract "Covenant Default HTTP Beaconing"
     
     Detects potential Covenant communications through the user-agent and specific urls
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.md
index e712a0594..e207efc6d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Fastly Next-Gen WAF Alerts [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Fastly Next-Gen WAF Alerts**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Fastly Next-Gen WAF Alerts on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json){ .md-button }
 ??? abstract "Cryptomining"
     
     Detection of domain names potentially related to cryptomining activities.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.md
index 06f6e2f18..64c8a8cc1 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Olfeo secure web gateway [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Olfeo secure web gateway**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Olfeo secure web gateway [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Olfeo secure web gateway on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
     
     Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.md
index 37c1a9366..7564ebc2b 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **OCSF [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **OCSF**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x OCSF [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x OCSF on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json){ .md-button }
 ??? abstract "AMSI Deactivation Using Registry Key"
     
     The rule detects attempts to deactivate/disable the AMSI provider by deleting the associated registry key.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.md
index 7c339e3a0..9d8e1ccac 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Azure Key Vault [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Azure Key Vault**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Azure Key Vault [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Azure Key Vault on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
     
     Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.md
index 0830ce048..5594989e3 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Juniper Networks Switches [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Juniper Networks Switches**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Juniper Networks Switches [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Juniper Networks Switches on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json){ .md-button }
 ??? abstract "Cryptomining"
     
     Detection of domain names potentially related to cryptomining activities.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.md
index d94ec04dd..ce0963a96 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Ubika Cloud Protector Alerts [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Ubika Cloud Protector Alerts**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Ubika Cloud Protector Alerts [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Ubika Cloud Protector Alerts on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json){ .md-button }
 ??? abstract "Cryptomining"
     
     Detection of domain names potentially related to cryptomining activities.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.md
index e0b0ba21e..cdf45cd76 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Systancia Cleanroom [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Systancia Cleanroom**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Systancia Cleanroom [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Systancia Cleanroom on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json){ .md-button }
 ??? abstract "Cryptomining"
     
     Detection of domain names potentially related to cryptomining activities.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md
index 210799cc9..61b959b63 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **IBM iSeries [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **IBM iSeries**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x IBM iSeries [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x IBM iSeries on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json){ .md-button }
 ??? abstract "Account Added To A Security Enabled Group"
     
     Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)
diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
index 55ab62b6e..b90eef5b0 100644
--- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md
+++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
@@ -1,6 +1,6 @@
 # Built-in detection rules, EventIDs and EventProviders relations
 SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture.
-This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2025-02-17_
+This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2025-02-25_
 
 The colors of the EventIDs in this page should be interpreted as follow:
 
@@ -334,7 +334,7 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | Capture a network trace with netsh.exe | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Password Dumper Activity On LSASS | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
 | OceanLotus Registry Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Usage Of Procdump With Common Arguments | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Usage Of Procdump With Common Arguments | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | MMC Spawning Windows Shell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Exchange Server Spawning Suspicious Processes | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | OneNote Embedded File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
@@ -515,7 +515,7 @@ The colors of the EventIDs in this page should be interpreted as follow:
 ## EventIDs occurences in rules
 | EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 499) |
 | ------- | ------------------------- | ------------------------------------------------------ |
-| 1 | 233 | 46.69 % |
+| 1 | 234 | 46.89 % |
 | 13 | 50 | 10.02 % |
 | 4104 | 45 | 9.02 % |
 | 5 | 27 | 5.41 % |