diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
index 595d1e47fb..b5d563422d 100644
--- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, WMIC Uninstall Product, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Commands Invocation, Suspicious Taskkill Command"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MavInject Process Injection, Control Panel Items, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, WMIC Uninstall Product, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Control Panel Items"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Control Panel Items"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
index a271476265..6ccb051388 100644
--- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Powershell Web Request, Python Offensive Tools and Packages, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Control Process, xWizard Execution, Empire Monkey Activity, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Windows Installer Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH X11 Forwarding, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, SSH Tunnel Traffic"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification, ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Mshta JavaScript Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Control Panel Items"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Linux Binary Masquerading"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, SSH X11 Forwarding, Netsh Port Forwarding, SSH Tunnel Traffic"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
index 95a8ef40ce..3fdf09ee21 100644
--- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
index 58ee1f0beb..b1bc46c9be 100644
--- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Threat Detected, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Python Offensive Tools and Packages, AutoIt3 Execution From Suspicious Folder, Microsoft Office Creating Suspicious File, Linux Bash Reverse Shell, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Sysprep On AppData Folder, WithSecure Elements Critical Severity, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, WithSecure Elements Critical Severity, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Microsoft Defender Antivirus Tampering Detected, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, WithSecure Elements Critical Severity, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Microsoft Defender Antivirus Threat Detected, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, WithSecure Elements Critical Severity"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, MavInject Process Injection, CertOC Loading Dll, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Cookies Deletion, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, WithSecure Elements Critical Severity, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
index e2fdfa3843..24e63dca68 100644
--- a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
index 6be72f994e..4fbf13e0eb 100644
--- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Google Workspace Blocked Sender, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Deletion, Google Workspace User Suspended, Google Workspace Admin Deletion"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Admin Modification, Google Workspace Domain Delegation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation, Google Workspace Account Warning"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Google Workspace Blocked Sender, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace Password Change, Google Workspace MFA changed"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Deletion, Google Workspace User Suspended, Google Workspace Admin Deletion"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Domain Delegation, Google Workspace Admin Modification"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation, Google Workspace Account Warning"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
index 283a0a5a00..359d5368c6 100644
--- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Suspicious Driver Loaded, Dism Disabling Windows Defender, WMIC Uninstall Product, SELinux Disabling, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Suspicious Driver Loaded, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, SELinux Disabling, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender XDR Cloud App Security Alert, Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Microsoft Office Spawning Script, Suspicious Cmd.exe Command Line, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Powershell Web Request, Python Offensive Tools and Packages, AutoIt3 Execution From Suspicious Folder, Socat Reverse Shell Detection, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, Microsoft Defender XDR Endpoint Alert, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, Microsoft Defender XDR Alert, Microsoft Defender XDR Office 365 Alert, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Winlogon wrong parent, Usage Of Procdump With Common Arguments, Wininit Wrong Parent, Lsass Wrong Parent, Dllhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Microsoft Defender XDR Endpoint Alert, Smss Wrong Parent, Microsoft Defender XDR Alert, Svchost Wrong Parent, Searchindexer Wrong Parent, Microsoft Defender XDR Office 365 Alert, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Microsoft Defender XDR Cloud App Security Alert, Winrshost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Taskhost Wrong Parent, New Service Creation, Csrss Wrong Parent, Winlogon wrong parent, Wininit Wrong Parent, Lsass Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Taskhost Wrong Parent, New Service Creation, Csrss Wrong Parent, Winlogon wrong parent, Wininit Wrong Parent, Lsass Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Usage Of Procdump With Common Arguments, Wininit Wrong Parent, Lsass Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender XDR Office 365 Alert, Microsoft Defender XDR Alert, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender XDR Cloud App Security Alert, Download Files From Suspicious TLDs, Microsoft Defender XDR Endpoint Alert, Microsoft Office Spawning Script, Suspicious Outlook Child Process"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Explorer Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Suspicious Email Attachment Received, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, WCE wceaux.dll Creation, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RDP Sensitive Settings Changed, FlowCloud Malware, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Disabling SmartScreen Via Registry, Disable Workstation Lock"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, DNS Tunnel Technique From MuddyWater, Potential Lemon Duck User-Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Ngrok Process Execution, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, NjRat Registry Changes, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, SELinux Disabling, FLTMC command usage, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Mshta Suspicious Child Process, Suspicious Taskkill Command, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender XDR Alert, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender XDR Endpoint Alert, MalwareBytes Uninstallation, Powershell Web Request, Socat Reverse Shell Detection, Suspicious PowerShell Invocations - Specific, Microsoft Defender XDR Cloud App Security Alert, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Socat Relaying Socket, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Microsoft Defender XDR Office 365 Alert, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, Interactive Terminal Spawned via Python, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, Windows Update LolBins, Smss Wrong Parent, Winrshost Wrong Parent, Winword wrong parent, Wininit Wrong Parent, Microsoft Defender XDR Alert, Microsoft Defender XDR Endpoint Alert, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Microsoft Defender XDR Cloud App Security Alert, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Exfiltration Via Pscp, Taskhost Wrong Parent, Microsoft Defender XDR Office 365 Alert, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Usage Of Sysinternals Tools, Lsass Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Winword wrong parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Winword wrong parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Winword wrong parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Usage Of Sysinternals Tools, Lsass Wrong Parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Microsoft Defender XDR Cloud App Security Alert, Microsoft Defender XDR Alert, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender XDR Office 365 Alert, Microsoft Defender XDR Endpoint Alert, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Control Panel Items, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Possible Malicious File Double Extension, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disabling SmartScreen Via Registry, Disable .NET ETW Through COMPlus_ETWEnabled, FlowCloud Malware, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Disable Workstation Lock"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent, Cryptomining, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Relaying Socket, SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, NjRat Registry Changes, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
index 8d15e81efb..13f411a380 100644
--- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
index 2cc67ea9c2..7da75cb9f2 100644
--- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Trend Micro Apex One Malware Alert, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Trend Micro Apex One Data Loss Prevention Alert, Powershell Web Request, Python Offensive Tools and Packages, AutoIt3 Execution From Suspicious Folder, Microsoft Office Creating Suspicious File, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Trend Micro Apex One Malware Alert, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Trend Micro Apex One Malware Alert, Download Files From Suspicious TLDs, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert, SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Microsoft Office Creating Suspicious File, Trend Micro Apex One Malware Alert, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Trend Micro Apex One Data Loss Prevention Alert, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, Trend Micro Apex One Data Loss Prevention Alert, Trend Micro Apex One Malware Alert"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, MavInject Process Injection, CertOC Loading Dll, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Cookies Deletion, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Trend Micro Apex One Data Loss Prevention Alert, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Trend Micro Apex One Malware Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert, SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
index 299316d48a..cba675171f 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
index 78e0ba5e78..218ab01689 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Package Manager Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, FLTMC command usage, WMIC Uninstall Product, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, SentinelOne EDR Threat Detected (Suspicious), MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, SentinelOne EDR Threat Mitigation Report Quarantine Success, PowerShell Commands Invocation, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR SSO User Added, WMIC Uninstall Product, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Default Encoding To UTF-8 PowerShell, SentinelOne EDR User Logged In To The Management Console, Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Agent Disabled, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Kill Success, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Malicious Threat Not Mitigated, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Agent Disabled, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, Suspicious DLL Loading By Ordinal, MavInject Process Injection, CMSTP UAC Bypass via COM Object Access, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Agent Disabled, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, MS Office Product Spawning Exe in User Dir, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Malicious Threat Not Mitigated, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Custom Rule Alert, Download Files From Suspicious TLDs, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, FLTMC command usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, SentinelOne EDR Custom Rule Alert, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, SentinelOne EDR SSO User Added, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Detected (Malicious), Suspicious PowerShell Invocations - Specific, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Malicious Threat Not Mitigated, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, PowerShell Commands Invocation, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), PowerShell EncodedCommand, Lazarus Loaders, SentinelOne EDR Agent Disabled, Default Encoding To UTF-8 PowerShell, SentinelOne EDR Threat Mitigation Report Quarantine Success, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Malicious Threat Not Mitigated, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SentinelOne EDR Custom Rule Alert, SentinelOne EDR SSO User Added, SentinelOne EDR Agent Disabled, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Detected (Malicious)"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Control Panel Items"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, RTLO Character, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Control Panel Items"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Custom Rule Alert, SentinelOne EDR SSO User Added, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Agent Disabled, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Success, Download Files From Suspicious TLDs, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Detected (Malicious)"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
index 384ceaded7..2a4ecdc222 100644
--- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
index f412089394..c18db04b97 100644
--- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Microsoft Office Spawning Script, Suspicious Cmd.exe Command Line, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Powershell Web Request, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Suspicious DNS Child Process, Winword wrong parent, Exfiltration Via Pscp, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, Windows Update LolBins"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Suspicious DNS Child Process, Winword wrong parent, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Outlook Child Process"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, Explorer Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, Explorer Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Explorer Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, FLTMC command usage, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Mshta Suspicious Child Process, Suspicious Taskkill Command, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Windows Update LolBins, PsExec Process, Suspicious DNS Child Process, Winword wrong parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, PsExec Process, Suspicious DNS Child Process, Winword wrong parent"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, Explorer Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, Explorer Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Explorer Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
index 2574ebcd3e..f8ad9edbe2 100644
--- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Suspicious Driver Loaded, Dism Disabling Windows Defender, WMIC Uninstall Product, SELinux Disabling, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Suspicious Driver Loaded, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, SELinux Disabling, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Microsoft Office Spawning Script, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Powershell Web Request, Python Offensive Tools and Packages, AutoIt3 Execution From Suspicious Folder, Socat Reverse Shell Detection, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, Winlogon wrong parent, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Dllhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Winlogon wrong parent, Lsass Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Winlogon wrong parent, Lsass Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, Winlogon wrong parent, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Non-Legitimate TLDs, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Non-Legitimate TLDs, Microsoft Office Spawning Script, Suspicious Outlook Child Process"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Explorer Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RDP Sensitive Settings Changed, FlowCloud Malware, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Disabling SmartScreen Via Registry, Disable Workstation Lock, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Ngrok Process Execution, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, NjRat Registry Changes, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall, SELinux Disabling, FLTMC command usage, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Mshta Suspicious Child Process, Suspicious Taskkill Command, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Powershell Web Request, Socat Reverse Shell Detection, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Socat Relaying Socket, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, Interactive Terminal Spawned via Python, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Windows Update LolBins, Smss Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Exfiltration Via Pscp, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Usage Of Sysinternals Tools, Lsass Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winword wrong parent, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winword wrong parent, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Usage Of Sysinternals Tools, Lsass Wrong Parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Non-Legitimate TLDs, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Non-Legitimate TLDs, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disabling SmartScreen Via Registry, Disable .NET ETW Through COMPlus_ETWEnabled, FlowCloud Malware, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Disable Workstation Lock"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Relaying Socket, SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, NjRat Registry Changes, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
index 3554eaa7cc..7c811a8dbc 100644
--- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
index 119965a07e..7fe34cb30e 100644
--- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Malicious IP"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Malicious IP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Token Issuer Anomaly"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Token Issuer Anomaly"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
index b8d456b7d8..8a34f28b89 100644
--- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
index 834d328b93..a951ad59ed 100644
--- a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
index 6d1525158a..795800ceff 100644
--- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, WMIC Uninstall Product, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Sekoia.io EICAR Detection, Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Commands Invocation, Suspicious Taskkill Command"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MavInject Process Injection, Control Panel Items, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Windows Installer Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, WMIC Uninstall Product, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Sekoia.io EICAR Detection, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Control Panel Items"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Control Panel Items"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
index d3359309ce..b586871b62 100644
--- a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
index a2dc21ea2b..fa903862f6 100644
--- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Lazarus Loaders, Bloodhound and Sharphound Tools Usage, CrowdStrike Falcon Intrusion Detection Low Severity, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, CrowdStrike Falcon Intrusion Detection, PowerShell Commands Invocation, Microsoft Office Spawning Script, Suspicious Cmd.exe Command Line, CrowdStrike Falcon Identity Protection Detection Informational Severity, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, CrowdStrike Falcon Intrusion Detection Informational Severity, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Python Offensive Tools and Packages, AutoIt3 Execution From Suspicious Folder, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, Linux Bash Reverse Shell, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, CrowdStrike Falcon Identity Protection Detection High Severity, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, CrowdStrike Falcon Intrusion Detection High Severity, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command, CrowdStrike Falcon Identity Protection Detection Medium Severity"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, CrowdStrike Falcon Intrusion Detection Low Severity, Rare Lsass Child Found, Taskhost Wrong Parent, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Informational Severity, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Winlogon wrong parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Exfiltration Via Pscp, Userinit Wrong Parent, CrowdStrike Falcon Identity Protection Detection Low Severity, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, CrowdStrike Falcon Identity Protection Detection High Severity, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, CrowdStrike Falcon Intrusion Detection High Severity, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, CrowdStrike Falcon Identity Protection Detection Medium Severity, Windows Update LolBins"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Low Severity, Explorer Process Executing HTA File, IcedID Execution Using Excel, CrowdStrike Falcon Intrusion Detection, Microsoft Office Spawning Script, CrowdStrike Falcon Identity Protection Detection Informational Severity, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Winword Document Droppers, CrowdStrike Falcon Identity Protection Detection Low Severity, Suspicious Outlook Child Process, CrowdStrike Falcon Identity Protection Detection High Severity, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Intrusion Detection High Severity, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Identity Protection Detection Medium Severity"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, WCE wceaux.dll Creation, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, CrowdStrike Falcon Mobile Detection Medium Severity, CrowdStrike Falcon Mobile Detection Low Severity, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection High Severity, CrowdStrike Falcon Mobile Detection Informational Severity, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, CrowdStrike Falcon Mobile Detection Critical Severity, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, FLTMC command usage, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Mshta Suspicious Child Process, Suspicious Taskkill Command, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, CrowdStrike Falcon Identity Protection Detection High Severity, Trickbot Malware Activity, Powershell Web Request, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection High Severity, Exploited CVE-2020-10189 Zoho ManageEngine, CrowdStrike Falcon Intrusion Detection Informational Severity, Suspicious PowerShell Invocations - Specific, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, CrowdStrike Falcon Identity Protection Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, CrowdStrike Falcon Intrusion Detection Critical Severity, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, Windows Update LolBins, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, CrowdStrike Falcon Intrusion Detection, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Identity Protection Detection Informational Severity, Taskhostw Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Dllhost Wrong Parent, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Exfiltration Via Pscp, CrowdStrike Falcon Intrusion Detection Critical Severity, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Identity Protection Detection Medium Severity, Exploit For CVE-2015-1641, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Suspicious Outlook Child Process"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Control Panel Items"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Spoolsv Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, RTLO Character, Formbook Hijacked Process Command, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater, CrowdStrike Falcon Mobile Detection Low Severity, CrowdStrike Falcon Mobile Detection Critical Severity, CrowdStrike Falcon Mobile Detection Medium Severity, CrowdStrike Falcon Mobile Detection High Severity, CrowdStrike Falcon Mobile Detection Informational Severity, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
index fa3fc0c8c3..acd8392790 100644
--- a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Daspren Parad Malicious Behavior"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
index ca9180bd9c..6afeeeae85 100644
--- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
index dead7e1823..ac5121431b 100644
--- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Configuration Changed, Raccine Uninstall, Suspicious Driver Loaded, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Defender Deactivation Using PowerShell Script, Disable Windows Defender Credential Guard, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Clear EventLogs Through CommandLine, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Configuration Changed, NetSh Used To Disable Windows Firewall, Raccine Uninstall, Suspect Svchost Memory Access, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Suspicious Driver Loaded, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Python Opening Ports, Windows Defender Deactivation Using PowerShell Script, Disable Windows Defender Credential Guard, NetNTLM Downgrade Attack, Powershell AMSI Bypass, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Turla Named Pipes, Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, In-memory PowerShell, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, WMImplant Hack Tool, Alternate PowerShell Hosts Pipe, Invoke-TheHash Commandlets, PowerShell Credential Prompt, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Turla Named Pipes, Trickbot Malware Activity, Suspicious PowerShell Keywords, Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, Suspicious XOR Encoded PowerShell Command Line, PowerShell Commands Invocation, Microsoft Office Spawning Script, FromBase64String Command Line, Suspicious Cmd.exe Command Line, In-memory PowerShell, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, Mustang Panda Dropper, Aspnet Compiler, WMImplant Hack Tool, Alternate PowerShell Hosts Pipe, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, PowerShell Credential Prompt, WMIC Uninstall Product, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Microsoft Defender Antivirus Threat Detected, XSL Script Processing And SquiblyTwo Attack, Detection of default Mimikatz banner, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, AutoIt3 Execution From Suspicious Folder, Microsoft Office Creating Suspicious File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Malspam Execution Registering Malicious DLL, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Suspicious DLL Loaded Via Office Applications, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Scripting In A WMI Consumer, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, Smbexec.py Service Installation, OneNote Suspicious Children Process, Suspicious PsExec Execution, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Windows Suspicious Service Creation, Gpscript Suspicious Parent, Microsoft Defender Antivirus Threat Detected, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Malicious Service Installations, Smss Wrong Parent, Check Point Harmony Mobile Application Forbidden, Searchindexer Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Metasploit PSExec Service Creation, Wsmprovhost Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Winrshost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Malware Persistence Registry Key, Svchost Modification, Registry Key Used By Some Old Agent Tesla Samples, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Kernel Module Alteration, Svchost Modification, Registry Key Used By Some Old Agent Tesla Samples, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Lsass Wrong Parent, Explorer Wrong Parent, Csrss Child Found, APT29 Fake Google Update Service Install, Dllhost Wrong Parent, StoneDrill Service Install, Userinit Wrong Parent, Cobalt Strike Default Service Creation Usage, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Malicious Service Installations, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Lsass Wrong Parent, Explorer Wrong Parent, Csrss Child Found, APT29 Fake Google Update Service Install, Dllhost Wrong Parent, StoneDrill Service Install, Userinit Wrong Parent, Cobalt Strike Default Service Creation Usage, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Malicious Service Installations, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, Smbexec.py Service Installation, OneNote Suspicious Children Process, Suspicious PsExec Execution, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Windows Suspicious Service Creation, Gpscript Suspicious Parent, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Malicious Service Installations, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Metasploit PSExec Service Creation, Wsmprovhost Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, FlowCloud Malware, Ursnif Registry Key, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, Disable Workstation Lock, Suspicious New Printer Ports In Registry, DNS ServerLevelPluginDll Installation, NetNTLM Downgrade Attack, RDP Port Change Using Powershell, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, Disable Security Events Logging Adding Reg Key MiniNt, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Disabling SmartScreen Via Registry, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Remote Registry Management Using Reg Utility, Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Rdrleakdiag, Password Dumper Activity On LSASS, SAM Registry Hive Handle Request, Active Directory Replication from Non Machine Account, RedMimicry Winnti Playbook Dropped File, Active Directory Database Dump Via Ntdsutil, DCSync Attack, Suspicious CommandLine Lsassy Pattern, Dumpert LSASS Process Dumper, Credential Dump Tools Related Files, LSASS Access From Non System Account, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, WCE wceaux.dll Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Process Memory Dump Using Comsvcs, NetNTLM Downgrade Attack, HackTools Suspicious Process Names In Command Line, Suspicious SAM Dump, Impacket Secretsdump.py Tool, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump File Creation, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, LSASS Memory Dump, Cmdkey Cached Credentials Recon, Malicious Service Installations, Wdigest Enable UseLogonCredential, Credential Dumping By LaZagne, Process Memory Dump Using Createdump, Copying Browser Files With Credentials, Transfering Files With Credential Data Via Network Shares, Rubeus Tool Command-line, Mimikatz LSASS Memory Access, Lsass Access Through WinRM, HackTools Suspicious Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping By LaZagne, Process Memory Dump Using Rdrleakdiag, Password Dumper Activity On LSASS, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, LSASS Access From Non System Account, Credential Dumping-Tools Common Named Pipes, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump File Creation, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Memory Dump, Suspicious CommandLine Lsassy Pattern, Mimikatz LSASS Memory Access, Lsass Access Through WinRM, Dumpert LSASS Process Dumper, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Dynwrapx Module Loading, Mshta JavaScript Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Desktopimgdownldr Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Admin User RDP Remote Logon, Denied Access To Remote Desktop"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, WMI Install Of Binary, Blue Mockingbird Malware, Invoke-TheHash Commandlets, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Admin Share Access, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, RDP Login From Localhost, RDP Port Change Using Powershell, MMC20 Lateral Movement, Smbexec.py Service Installation, Protected Storage Service Access, Lsass Access Through WinRM, Denied Access To Remote Desktop, MMC Spawning Windows Shell, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, Werfault DLL Injection, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Werfault DLL Injection, Suspicious DLL side loading from ProgramData, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, User Added to Local Administrators, Active Directory User Backdoors, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, Active Directory Delegate To KRBTGT Service, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Replication User Backdoor"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Domain Trust Created Or Removed, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Explorer Process Executing HTA File, IcedID Execution Using Excel, HarfangLab EDR Critical Threat, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Low Threat, Suspicious DLL Loaded Via Office Applications, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Explorer Process Executing HTA File, IcedID Execution Using Excel, HarfangLab EDR Critical Threat, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Defender Antivirus Threat Detected, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Low Threat, Suspicious Outlook Child Process, Suspicious DLL Loaded Via Office Applications, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Threat"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy, Suspicious New Printer Ports In Registry, Audit CVE Event"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Mustang Panda Dropper, Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, MalwareBytes Uninstallation, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Sticky Key Like Backdoor Usage, Suspicious Scripting In A WMI Consumer, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, WMI Event Subscription, Change Default File Association"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Suspicious LDAP-Attributes Used, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, Cryptomining, Sliver DNS Beaconing, Python HTTP Server"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Suspicious Outbound Kerberos Connection, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line, Possible Replay Attack, Kerberos Pre-Auth Disabled in UAC, Suspicious Kerberos Ticket, Rubeus Register New Logon Process"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, CreateRemoteThread Common Process Injection, Wmiprvse Wrong Parent, Process Herpaderping, Process Hollowing Detection, Dynwrapx Module Loading, MavInject Process Injection, Spoolsv Wrong Parent, Malicious Named Pipe, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Cobalt Strike Named Pipes, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, New Or Renamed User Account With '$' In Attribute 'SamAccountName', AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Execution From Suspicious Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, Cisco Umbrella Threat Detected"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Antivirus Web Shell Detection, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, PowerView commandlets 1, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Phosphorus Domain Controller Discovery, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Suspicious SAM Dump, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, Credential Dump Tools Related Files, Copying Browser Files With Credentials, RedMimicry Winnti Playbook Dropped File, Credential Dumping-Tools Common Named Pipes, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Eventlog Cleared, Cookies Deletion, Secure Deletion With SDelete, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Audit CVE Event, Exploit For CVE-2015-1641, Antivirus Relevant File Paths Alerts, Suspicious New Printer Ports In Registry, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh Port Forwarding, Python Opening Ports, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious DLL Loaded Via Office Applications, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, SCM Database Privileged Operation, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, SSH X11 Forwarding, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, SSH Tunnel Traffic"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan, Audit CVE Event"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Netscan Share Access Artefact, Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Abusing Azure Browser SSO, Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, TrustedInstaller Impersonation, Netsh RDP Port Opening, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable SecurityHealth, Disabled IE Security Features, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Python Opening Ports, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Microsoft Defender Antivirus Tampering Detected, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall, TrustedInstaller Impersonation, FLTMC command usage, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Suspect Svchost Memory Access, Powershell AMSI Bypass, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable SecurityHealth, Disabled IE Security Features, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Mshta Suspicious Child Process, Suspicious Taskkill Command, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, In-memory PowerShell, Turla Named Pipes, Powershell Web Request, Detection of default Mimikatz banner, Alternate PowerShell Hosts Pipe, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, WMI DLL Loaded Via Office, Invoke-TheHash Commandlets, Mshta Suspicious Child Process, Suspicious Taskkill Command, WMImplant Hack Tool, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, In-memory PowerShell, MalwareBytes Uninstallation, Turla Named Pipes, Trickbot Malware Activity, Powershell Web Request, Detection of default Mimikatz banner, Alternate PowerShell Hosts Pipe, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Mustang Panda Dropper, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, Phorpiex DriveMgr Command, PowerShell Credential Prompt, Suspicious VBS Execution Parameter, PowerShell Malicious PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Suspicious Scripting In A WMI Consumer, PowerShell Commands Invocation, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious DLL Loaded Via Office Applications, Malspam Execution Registering Malicious DLL, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, FromBase64String Command Line, Aspnet Compiler, Suspicious XOR Encoded PowerShell Command Line, Lazarus Loaders, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, Malicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Windows Update LolBins, Smss Wrong Parent, Windows Suspicious Service Creation, Winrshost Wrong Parent, Credential Dumping Tools Service Execution, Csrss Child Found, Check Point Harmony Mobile Application Forbidden, Winword wrong parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Wininit Wrong Parent, Smbexec.py Service Installation, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Suspicious PsExec Execution, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Exfiltration Via Pscp, Microsoft Defender Antivirus Threat Detected, Taskhost Wrong Parent, Gpscript Suspicious Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Malicious Service Installations, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent, Metasploit PSExec Service Creation"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL, Njrat Registry Values, Suspicious desktop.ini Action, NjRat Registry Changes, Kernel Module Alteration, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Malware Persistence Registry Key"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Chafer (APT 39) Activity, Csrss Child Found, Winword wrong parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Cobalt Strike Default Service Creation Usage, APT29 Fake Google Update Service Install, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, StoneDrill Service Install, Gpscript Suspicious Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Chafer (APT 39) Activity, Csrss Child Found, Winword wrong parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Cobalt Strike Default Service Creation Usage, APT29 Fake Google Update Service Install, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, StoneDrill Service Install, Gpscript Suspicious Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Windows Suspicious Service Creation, Winrshost Wrong Parent, Credential Dumping Tools Service Execution, Csrss Child Found, Winword wrong parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Wininit Wrong Parent, Smbexec.py Service Installation, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Suspicious PsExec Execution, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Gpscript Suspicious Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Malicious Service Installations, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent, Metasploit PSExec Service Creation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, FlowCloud Malware, Suspicious New Printer Ports In Registry, Chafer (APT 39) Activity, Ursnif Registry Key, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, NetNTLM Downgrade Attack, Disable Workstation Lock, RDP Port Change Using Powershell, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, DNS ServerLevelPluginDll Installation, Remote Registry Management Using Reg Utility, OceanLotus Registry Activity, Disable Security Events Logging Adding Reg Key MiniNt, RDP Sensitive Settings Changed, Blue Mockingbird Malware"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, SysKey Registry Keys Access, Suspicious Taskkill Command, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Unsigned Image Loaded Into LSASS Process, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Mimikatz Basic Commands, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Mimikatz LSASS Memory Access, Transfering Files With Credential Data Via Network Shares, Credential Dumping Tools Service Execution, Password Dumper Activity On LSASS, WCE wceaux.dll Creation, HackTools Suspicious Names, SAM Registry Hive Handle Request, Wdigest Enable UseLogonCredential, LSASS Access From Non System Account, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Cmdkey Cached Credentials Recon, Suspicious SAM Dump, RedMimicry Winnti Playbook Dropped File, Dumpert LSASS Process Dumper, Active Directory Database Dump Via Ntdsutil, Process Memory Dump Using Createdump, Impacket Secretsdump.py Tool, Lsass Access Through WinRM, LSASS Memory Dump File Creation, HackTools Suspicious Process Names In Command Line, Credential Dumping-Tools Common Named Pipes, Suspicious CommandLine Lsassy Pattern, LSASS Memory Dump, Copying Browser Files With Credentials, Load Of dbghelp/dbgcore DLL From Suspicious Process, DCSync Attack, Credential Dumping By LaZagne, Malicious Service Installations, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Unsigned Image Loaded Into LSASS Process, Dumpert LSASS Process Dumper, Credential Dumping-Tools Common Named Pipes, Suspicious CommandLine Lsassy Pattern, LSASS Access From Non System Account, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Load Of dbghelp/dbgcore DLL From Suspicious Process, Lsass Access Through WinRM, Mimikatz LSASS Memory Access, Credential Dumping Tools Service Execution, Credential Dumping By LaZagne, LSASS Memory Dump File Creation, Password Dumper Activity On LSASS, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, Dynwrapx Module Loading, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Malspam Execution Registering Malicious DLL, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, User Added to Local Administrators, Account Added To A Security Enabled Group, Denied Access To Remote Desktop, Admin User RDP Remote Logon"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI DLL Loaded Via Office, Invoke-TheHash Commandlets, WMImplant Hack Tool, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Admin Share Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, RDP Port Change Using Powershell, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, MMC20 Lateral Movement, MMC Spawning Windows Shell, Lsass Access Through WinRM, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, RDP Login From Localhost, Admin Share Access, Denied Access To Remote Desktop"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Werfault DLL Injection"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Windows Registry Persistence COM Search Order Hijacking, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Werfault DLL Injection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Enabling Restricted Admin Mode, Active Directory Replication User Backdoor, Mimikatz Basic Commands, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, User Added to Local Administrators, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Delegate To KRBTGT Service, Active Directory User Backdoors"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, GPO Executable Delivery, Domain Trust Created Or Removed, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR High Threat, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Medium Threat, HarfangLab EDR Medium Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), Exploit For CVE-2015-1641, HarfangLab EDR Critical Level Rule Detection, Suspicious DLL Loaded Via Office Applications, Malspam Execution Registering Malicious DLL, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR High Threat, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Medium Threat, HarfangLab EDR Medium Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), Exploit For CVE-2015-1641, HarfangLab EDR Critical Level Rule Detection, Microsoft Defender Antivirus Threat Detected, Suspicious DLL Loaded Via Office Applications, Malspam Execution Registering Malicious DLL, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Dynwrapx Module Loading, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Mustang Panda Dropper, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Event Subscription, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Remote Task Creation Via ATSVC Named Pipe, Chafer (APT 39) Activity, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Chafer (APT 39) Activity, Suspicious LDAP-Attributes Used, Suspicious Windows DNS Queries, Dynamic DNS Contacted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Kerberos Pre-Auth Disabled in UAC, Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Kerberos Ticket, Suspicious Outbound Kerberos Connection, Rubeus Register New Logon Process"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, CreateRemoteThread Common Process Injection, Explorer Wrong Parent, Malicious Named Pipe, Taskhost Wrong Parent, Svchost Wrong Parent, Process Hollowing Detection, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Smss Wrong Parent, Cobalt Strike Named Pipes, Process Herpaderping, Dynwrapx Module Loading, Taskhostw Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil, Credential Dump Tools Related Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: New Or Renamed User Account With '$' In Attribute 'SamAccountName', Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, RTLO Character, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD User Enumeration, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde, Remote Privileged Group Enumeration, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 2"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, AdFind Usage, PowerView commandlets 2"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, SAM Registry Hive Handle Request, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Suspicious SAM Dump, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, TUN/TAP Driver Installation"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Eventlog Cleared, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Cookies Deletion, High Privileges Network Share Removal"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Antivirus Relevant File Paths Alerts, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641, Audit CVE Event, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Python Opening Ports, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, WMI DLL Loaded Via Office, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, SCM Database Privileged Operation, PowerView commandlets 2"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, SSH X11 Forwarding, Netsh Port Forwarding, SSH Tunnel Traffic, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, AD Object WriteDAC Access"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Netscan Share Access Artefact, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection, CreateRemoteThread Common Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
index de96fcd5c7..5fa2ffb62b 100644
--- a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
index a01a5b7938..71f44a44a7 100644
--- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
index 0a52c70db7..4daeea77b4 100644
--- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Suspicious Driver Loaded, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Suspicious Driver Loaded, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Microsoft Office Spawning Script, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Threat Detected, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, AutoIt3 Execution From Suspicious Folder, Microsoft Office Creating Suspicious File, Linux Bash Reverse Shell, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Threat Detected, Microsoft Office Spawning Script, Suspicious Outlook Child Process"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RDP Sensitive Settings Changed, FlowCloud Malware, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Disabling SmartScreen Via Registry, Disable Workstation Lock, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining, Sliver DNS Beaconing, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, NjRat Registry Changes, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Microsoft Defender Antivirus Tampering Detected, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall, FLTMC command usage, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Mshta Suspicious Child Process, Suspicious Taskkill Command, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Trickbot Malware Activity, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Windows Update LolBins, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Exfiltration Via Pscp, Microsoft Defender Antivirus Threat Detected, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Spoolsv Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, RTLO Character, Formbook Hijacked Process Command, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disabling SmartScreen Via Registry, Disable .NET ETW Through COMPlus_ETWEnabled, FlowCloud Malware, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Disable Workstation Lock"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Suspicious Windows DNS Queries, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, NjRat Registry Changes, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
index 2f99dd7b85..2b880957b0 100644
--- a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Broadcom Edge Secure Web Gateway High Threat"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Broadcom Edge Secure Web Gateway High Threat"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
index ffa6d8e924..3c7172632c 100644
--- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, WMIC Uninstall Product, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Sekoia.io EICAR Detection, Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Commands Invocation, Suspicious Taskkill Command"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MavInject Process Injection, Control Panel Items, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Windows Installer Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, WMIC Uninstall Product, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Sekoia.io EICAR Detection, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Control Panel Items"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Control Panel Items"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
index ae3ec3334d..54886606ea 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
index 6efb5651e8..23cec2d30a 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Cron Files Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, ESET Protect Malware, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, ESET Protect Intrusion Detection, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Suspicious Outlook Child Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Aspnet Compiler, Sekoia.io EICAR Detection, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Outlook Child Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Lsass Wrong Parent"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Suspicious Parent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, ESET Protect Malware, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, ESET Protect Intrusion Detection, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Suspicious Outlook Child Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation, Aspnet Compiler, Sekoia.io EICAR Detection, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
index 8fe280f851..998f5aa0d9 100644
--- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
index 4445cccfa1..b2f811540e 100644
--- a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
index ee2e7780e1..bf615a883e 100644
--- a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
index 3cbbc51959..2adc40a3c3 100644
--- a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
index 5584c0809a..fe45fb5ea9 100644
--- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Raccine Uninstall, Suspicious Driver Loaded, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Defender Deactivation Using PowerShell Script, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Suspicious Driver Loaded, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Defender Deactivation Using PowerShell Script, Powershell AMSI Bypass, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, WMImplant Hack Tool, Invoke-TheHash Commandlets, PowerShell Credential Prompt, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Suspicious PowerShell Keywords, Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, Suspicious XOR Encoded PowerShell Command Line, PowerShell Commands Invocation, Microsoft Office Spawning Script, FromBase64String Command Line, Suspicious Cmd.exe Command Line, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, WMImplant Hack Tool, Aspnet Compiler, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, PowerShell Credential Prompt, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Microsoft Defender Antivirus Threat Detected, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Python Offensive Tools and Packages, AutoIt3 Execution From Suspicious Folder, Microsoft Office Creating Suspicious File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Linux Bash Reverse Shell, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Process Memory Dump Using Createdump, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, WMI Install Of Binary, Blue Mockingbird Malware, Invoke-TheHash Commandlets, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Explorer Process Executing HTA File, IcedID Execution Using Excel, HarfangLab EDR Critical Threat, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, Microsoft Office Creating Suspicious File, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Low Threat, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Explorer Process Executing HTA File, IcedID Execution Using Excel, HarfangLab EDR Critical Threat, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Defender Antivirus Threat Detected, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, Microsoft Office Creating Suspicious File, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Low Threat, Suspicious Outlook Child Process, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Threat"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Phosphorus Domain Controller Discovery, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RDP Sensitive Settings Changed, FlowCloud Malware, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable Workstation Lock"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, DNS Tunnel Technique From MuddyWater, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining, Sliver DNS Beaconing, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, TrustedInstaller Impersonation, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable SecurityHealth, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Microsoft Defender Antivirus Tampering Detected, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall, TrustedInstaller Impersonation, FLTMC command usage, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Powershell AMSI Bypass, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable SecurityHealth, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Mshta Suspicious Child Process, Suspicious Taskkill Command, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Mshta Suspicious Child Process, Suspicious Taskkill Command, WMImplant Hack Tool, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Trickbot Malware Activity, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, Phorpiex DriveMgr Command, PowerShell Credential Prompt, Suspicious VBS Execution Parameter, PowerShell Malicious PowerShell Commandlets, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, FromBase64String Command Line, Aspnet Compiler, Suspicious XOR Encoded PowerShell Command Line, Lazarus Loaders, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, Malicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Windows Update LolBins, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Exfiltration Via Pscp, Microsoft Defender Antivirus Threat Detected, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Invoke-TheHash Commandlets, WMImplant Hack Tool, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR High Threat, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Medium Threat, HarfangLab EDR Medium Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), Exploit For CVE-2015-1641, HarfangLab EDR Critical Level Rule Detection, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR High Threat, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Medium Threat, HarfangLab EDR Medium Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), Exploit For CVE-2015-1641, HarfangLab EDR Critical Level Rule Detection, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Spoolsv Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, RTLO Character, Formbook Hijacked Process Command, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde, PowerView commandlets 2"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, AdFind Usage, PowerView commandlets 2"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Cookies Deletion, High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, FlowCloud Malware, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Disable Workstation Lock"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent, Cryptomining, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
index 8ccd019f81..c3cbf8635f 100644
--- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert, Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
index 08cc60dd81..cbfe48a57a 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR CorePUA Detection, Sophos EDR CorePUA Clean, Download Files From Suspicious TLDs, Sophos EDR Application Blocked"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR CorePUA Clean, Sophos EDR CorePUA Detection, Sophos EDR Application Blocked, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
index 85f6b3069f..b27d1d3115 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
index 7a05cfde9e..d1f78af6db 100644
--- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Cryptomining, Covenant Default HTTP Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
index ecd1f91114..cce12ca9c3 100644
--- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Raccine Uninstall, Suspicious Driver Loaded, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Defender Deactivation Using PowerShell Script, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Suspicious Driver Loaded, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Defender Deactivation Using PowerShell Script, Powershell AMSI Bypass, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, Invoke-TheHash Commandlets, PowerShell Credential Prompt, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Suspicious PowerShell Keywords, Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, Suspicious XOR Encoded PowerShell Command Line, PowerShell Commands Invocation, Microsoft Office Spawning Script, FromBase64String Command Line, Suspicious Cmd.exe Command Line, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, Aspnet Compiler, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, PowerShell Credential Prompt, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Python Offensive Tools and Packages, AutoIt3 Execution From Suspicious Folder, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Linux Bash Reverse Shell, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Winrshost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Invoke-TheHash Commandlets, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, Suspicious Outlook Child Process"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, NlTest Usage, PowerView commandlets 1, Domain Trust Discovery Through LDAP, Phosphorus Domain Controller Discovery, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RDP Sensitive Settings Changed, FlowCloud Malware, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Disabling SmartScreen Via Registry, Disable Workstation Lock, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, DNS Tunnel Technique From MuddyWater, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining, Sliver DNS Beaconing, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, NjRat Registry Changes, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, TrustedInstaller Impersonation, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable SecurityHealth, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall, TrustedInstaller Impersonation, FLTMC command usage, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Powershell AMSI Bypass, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable SecurityHealth, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Mshta Suspicious Child Process, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Mshta Suspicious Child Process, Suspicious Taskkill Command, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Trickbot Malware Activity, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, Phorpiex DriveMgr Command, PowerShell Credential Prompt, Suspicious VBS Execution Parameter, PowerShell Malicious PowerShell Commandlets, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, FromBase64String Command Line, Aspnet Compiler, Suspicious XOR Encoded PowerShell Command Line, Lazarus Loaders, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, Malicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Windows Update LolBins, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Exfiltration Via Pscp, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Spoolsv Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, Suspicious DNS Child Process, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disabling SmartScreen Via Registry, Disable .NET ETW Through COMPlus_ETWEnabled, FlowCloud Malware, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Disable Workstation Lock"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, NjRat Registry Changes, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
index d49c5ca29c..6e6aed1251 100644
--- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Cleaned, Download Files From Suspicious TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Quarantined, Download Files From Suspicious TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
index 50dc2dc33f..446a1c685b 100644
--- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
index 367c990025..7aea05500b 100644
--- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
index 02e8f3516e..e151b2dc75 100644
--- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
index f68109355b..4da5670d7b 100644
--- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cato Networks SASE High Risk Alert, Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Cato Networks SASE High Risk Alert, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
index be8601b4e8..be3f1b0d83 100644
--- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Phishing But Allowed, Possible Malicious File Double Extension, Proofpoint TAP Email Classified As Spam But Allowed, SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Malware But Allowed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Proofpoint TAP Email Classified As Spam But Allowed, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
index d2aaac98c3..04b1d40914 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sesame it Jizo NDR [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, LokiBot Default C2 URL, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sesame it Jizo NDR [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
index cf26d503a9..6988a2aebb 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
index 6b390bb0e1..410178b2dd 100644
--- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan), Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
index ab6d5420b8..e8a7f37066 100644
--- a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
new file mode 100644
index 0000000000..400f0e7bce
--- /dev/null
+++ b/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
@@ -0,0 +1 @@
+{"name": "SEKOIA.IO x Google Cloud Load Balancing [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
index dcb7c596ca..eb156d441d 100644
--- a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
index 4bd8ff4463..bdda81c79e 100644
--- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
index 299612ea97..1b957aa8c1 100644
--- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Successful External Login, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure, Fortinet FortiGate Firewall Successful External Login"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Fortinet FortiGate Firewall Successful External Login, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Successful External Login, Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
index 35b3720e86..792405caba 100644
--- a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Bitsight SPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Bitsight SPM Moderate Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Material Vulnerability, Bitsight SPM Minor Vulnerability"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Bitsight SPM Moderate Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Material Vulnerability, Bitsight SPM Minor Vulnerability"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Bitsight SPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Bitsight SPM Material Vulnerability, Bitsight SPM Minor Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Severe Vulnerability"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Bitsight SPM Material Vulnerability, Bitsight SPM Minor Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Severe Vulnerability"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
index e2593990d8..f1c425ee51 100644
--- a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security High Severity Alert, Lacework Cloud Security Medium Severity Alert"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security High Severity Alert, Lacework Cloud Security Medium Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security High Severity Alert"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
index 9fa4d951b0..a8973ad44e 100644
--- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
index 86657518f5..af94398f91 100644
--- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, SELinux Disabling, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, SELinux Disabling, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Powershell Web Request, Python Offensive Tools and Packages, AutoIt3 Execution From Suspicious Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Exfiltration Via Pscp, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Ngrok Process Execution, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Powershell Web Request, Socat Reverse Shell Detection, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Socat Relaying Socket, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, MavInject Process Injection, CertOC Loading Dll, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Cookies Deletion, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Relaying Socket, SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
index d7cde596b2..8682b02917 100644
--- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Microsoft Office Spawning Script, Suspicious Cmd.exe Command Line, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Python Offensive Tools and Packages, AutoIt3 Execution From Suspicious Folder, Microsoft Office Creating Suspicious File, Linux Bash Reverse Shell, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Windows Update LolBins"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Outlook Child Process"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining, Sliver DNS Beaconing, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Enabling Restricted Admin Mode"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, FLTMC command usage, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Mshta Suspicious Child Process, Suspicious Taskkill Command, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Trickbot Malware Activity, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Windows Update LolBins, Smss Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Exfiltration Via Pscp, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Spoolsv Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, RTLO Character, Formbook Hijacked Process Command, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Cookies Deletion, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
index 921cd52600..2bc83b9b52 100644
--- a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
index 134715b8e5..b28a19e0f7 100644
--- a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
index a0c9ca2413..16773d3114 100644
--- a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
index 412b1851eb..a72c2fde56 100644
--- a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Email Attachment Received"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
index 8a6ac88802..7e40d222b5 100644
--- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
index 4cf5d0eaec..54818fb54a 100644
--- a/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Application Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Application Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
index 4767af54e0..e7bdd4d8b7 100644
--- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
index da51b5c42b..f76006af93 100644
--- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, WMIC Uninstall Product, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Sekoia.io EICAR Detection, Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Commands Invocation, Suspicious Taskkill Command"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MavInject Process Injection, Control Panel Items, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Windows Installer Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, WMIC Uninstall Product, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Sekoia.io EICAR Detection, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Control Panel Items"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Control Panel Items"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
index 9619ca7a90..bf53ed0345 100644
--- a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
index f77d0894f3..15980e2c38 100644
--- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
index bd23870bd5..18d02747a1 100644
--- a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
index 50f644cee5..7c3fa94de6 100644
--- a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
index 1f27d618be..e427e1ebce 100644
--- a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
index b40e680827..e70ce4702a 100644
--- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Powershell Web Request, Python Offensive Tools and Packages, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Control Process, xWizard Execution, Empire Monkey Activity, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Windows Installer Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Mshta JavaScript Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Control Panel Items"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
index ac2387258a..73140c05b2 100644
--- a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
index 9fde46f0b2..826c256c09 100644
--- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
index ea3a67f8b2..77f5682ad3 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
index 710390d694..520e393400 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert, Varonis Data Security Network Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert, Varonis Data Security Network Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert, Varonis Data Security Network Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert, Varonis Data Security Network Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
index f45e0deb25..3781eb2301 100644
--- a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
index 677f152928..255df758e9 100644
--- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected, GitHub High Risk Configuration Disabled, GitHub Delete Action"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected, GitHub High Risk Configuration Disabled, GitHub Delete Action"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
index a84d74caae..a9fb11afe1 100644
--- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
index 6d222dfcc9..b08f913769 100644
--- a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
index ba67c781c1..649c659139 100644
--- a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
index 147b3185da..242816b8fb 100644
--- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
index e5143e1081..88434d7e79 100644
--- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
index 85fbd3c53a..846d7b6dca 100644
--- a/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Thinkst Canary [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Thinkst Canary [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
index 721d13485b..6fdc4c0a86 100644
--- a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
index 505024231c..966af0fc7a 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
index a5b6821bce..932961926c 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, TEHTRIS EDR Alert, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Powershell Web Request, AutoIt3 Execution From Suspicious Folder, Microsoft Office Creating Suspicious File, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, TEHTRIS EDR Alert, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, TEHTRIS EDR Alert, Download Files From Suspicious TLDs"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, TEHTRIS EDR Alert, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, TEHTRIS EDR Alert"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, MavInject Process Injection, CertOC Loading Dll, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, TEHTRIS EDR Alert"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
index 5e85fceb17..7239c63fcf 100644
--- a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cisco Umbrella Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
index 79ea30a916..fe50dbb5f2 100644
--- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Email Attachment Received"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
index b384626b40..d52f05b2d8 100644
--- a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
index 440faa9d4d..7edc320833 100644
--- a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
index 945fed2940..b82f0cf135 100644
--- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Configuration Changed, Raccine Uninstall, Suspicious Driver Loaded, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Defender Deactivation Using PowerShell Script, Disable Windows Defender Credential Guard, NetNTLM Downgrade Attack, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Clear EventLogs Through CommandLine, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Configuration Changed, NetSh Used To Disable Windows Firewall, Raccine Uninstall, Suspect Svchost Memory Access, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Suspicious Driver Loaded, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Python Opening Ports, Windows Defender Deactivation Using PowerShell Script, Disable Windows Defender Credential Guard, NetNTLM Downgrade Attack, Powershell AMSI Bypass, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Turla Named Pipes, Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, In-memory PowerShell, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, WMImplant Hack Tool, Alternate PowerShell Hosts Pipe, Invoke-TheHash Commandlets, PowerShell Credential Prompt, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Turla Named Pipes, Trickbot Malware Activity, Suspicious PowerShell Keywords, Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, Suspicious XOR Encoded PowerShell Command Line, PowerShell Commands Invocation, Microsoft Office Spawning Script, FromBase64String Command Line, Suspicious Cmd.exe Command Line, In-memory PowerShell, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, Mustang Panda Dropper, Aspnet Compiler, WMImplant Hack Tool, Alternate PowerShell Hosts Pipe, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, PowerShell Credential Prompt, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Microsoft Defender Antivirus Threat Detected, XSL Script Processing And SquiblyTwo Attack, Detection of default Mimikatz banner, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, AutoIt3 Execution From Suspicious Folder, Microsoft Office Creating Suspicious File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Malspam Execution Registering Malicious DLL, Linux Bash Reverse Shell, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Suspicious DLL Loaded Via Office Applications, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Scripting In A WMI Consumer, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, Smbexec.py Service Installation, OneNote Suspicious Children Process, Suspicious PsExec Execution, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Windows Suspicious Service Creation, Gpscript Suspicious Parent, Microsoft Defender Antivirus Threat Detected, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Malicious Service Installations, Smss Wrong Parent, Check Point Harmony Mobile Application Forbidden, Searchindexer Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Metasploit PSExec Service Creation, Wsmprovhost Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Winrshost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Malware Persistence Registry Key, Svchost Modification, Registry Key Used By Some Old Agent Tesla Samples, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, DLL Load via LSASS Registry Key, NjRat Registry Changes, Malware Persistence Registry Key, Kernel Module Alteration, Svchost Modification, Registry Key Used By Some Old Agent Tesla Samples, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Lsass Wrong Parent, Explorer Wrong Parent, Csrss Child Found, APT29 Fake Google Update Service Install, Dllhost Wrong Parent, StoneDrill Service Install, Userinit Wrong Parent, Cobalt Strike Default Service Creation Usage, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Malicious Service Installations, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Gpscript Suspicious Parent, Wininit Wrong Parent, Lsass Wrong Parent, Explorer Wrong Parent, Csrss Child Found, APT29 Fake Google Update Service Install, Dllhost Wrong Parent, StoneDrill Service Install, Userinit Wrong Parent, Cobalt Strike Default Service Creation Usage, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Malicious Service Installations, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, Smbexec.py Service Installation, OneNote Suspicious Children Process, Suspicious PsExec Execution, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Windows Suspicious Service Creation, Gpscript Suspicious Parent, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Malicious Service Installations, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Metasploit PSExec Service Creation, Wsmprovhost Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, FlowCloud Malware, Ursnif Registry Key, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, Disable Workstation Lock, Suspicious New Printer Ports In Registry, DNS ServerLevelPluginDll Installation, NetNTLM Downgrade Attack, RDP Port Change Using Powershell, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, Disable Security Events Logging Adding Reg Key MiniNt, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Disabling SmartScreen Via Registry, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Remote Registry Management Using Reg Utility, Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Rdrleakdiag, Password Dumper Activity On LSASS, SAM Registry Hive Handle Request, Active Directory Replication from Non Machine Account, RedMimicry Winnti Playbook Dropped File, Active Directory Database Dump Via Ntdsutil, DCSync Attack, Suspicious CommandLine Lsassy Pattern, Dumpert LSASS Process Dumper, Credential Dump Tools Related Files, LSASS Access From Non System Account, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, WCE wceaux.dll Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Process Memory Dump Using Comsvcs, NetNTLM Downgrade Attack, HackTools Suspicious Process Names In Command Line, Suspicious SAM Dump, Impacket Secretsdump.py Tool, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump File Creation, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, LSASS Memory Dump, Cmdkey Cached Credentials Recon, Malicious Service Installations, Wdigest Enable UseLogonCredential, Credential Dumping By LaZagne, Process Trace Alteration, Process Memory Dump Using Createdump, Copying Browser Files With Credentials, Transfering Files With Credential Data Via Network Shares, Rubeus Tool Command-line, Mimikatz LSASS Memory Access, Lsass Access Through WinRM, HackTools Suspicious Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping By LaZagne, Process Memory Dump Using Rdrleakdiag, Password Dumper Activity On LSASS, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, LSASS Access From Non System Account, Credential Dumping-Tools Common Named Pipes, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump File Creation, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Memory Dump, Suspicious CommandLine Lsassy Pattern, Mimikatz LSASS Memory Access, Lsass Access Through WinRM, Dumpert LSASS Process Dumper, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Dynwrapx Module Loading, Mshta JavaScript Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Desktopimgdownldr Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Admin User RDP Remote Logon, Denied Access To Remote Desktop"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, WMI Install Of Binary, Blue Mockingbird Malware, Invoke-TheHash Commandlets, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Admin Share Access, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, RDP Login From Localhost, RDP Port Change Using Powershell, MMC20 Lateral Movement, Smbexec.py Service Installation, Protected Storage Service Access, Lsass Access Through WinRM, Denied Access To Remote Desktop, MMC Spawning Windows Shell, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, Werfault DLL Injection, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Werfault DLL Injection, Suspicious DLL side loading from ProgramData, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, User Added to Local Administrators, Active Directory User Backdoors, Add User to Privileged Group, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, Active Directory Delegate To KRBTGT Service, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Replication User Backdoor"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Domain Trust Created Or Removed, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Explorer Process Executing HTA File, IcedID Execution Using Excel, HarfangLab EDR Critical Threat, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Low Threat, Suspicious DLL Loaded Via Office Applications, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Explorer Process Executing HTA File, IcedID Execution Using Excel, HarfangLab EDR Critical Threat, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Defender Antivirus Threat Detected, Download Files From Non-Legitimate TLDs, HarfangLab EDR High Level Rule Detection, Download Files From Suspicious TLDs, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Low Threat, Suspicious Outlook Child Process, Suspicious DLL Loaded Via Office Applications, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Threat"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy, Suspicious New Printer Ports In Registry, Audit CVE Event"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Mustang Panda Dropper, Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, MalwareBytes Uninstallation, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Sticky Key Like Backdoor Usage, Suspicious Scripting In A WMI Consumer, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, WMI Event Subscription, Change Default File Association"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Python HTTP Server, Detect requests to Konni C2 servers, Dynamic DNS Contacted, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Chafer (APT 39) Activity, Potential Bazar Loader User-Agents, DNS Tunnel Technique From MuddyWater, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Suspicious LDAP-Attributes Used, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Suspicious Outbound Kerberos Connection, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line, Possible Replay Attack, Kerberos Pre-Auth Disabled in UAC, Suspicious Kerberos Ticket, Rubeus Register New Logon Process"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Malicious Named Pipe, Taskhost Wrong Parent, Spoolsv Wrong Parent, Cobalt Strike Named Pipes, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Process Herpaderping, Process Hollowing Detection, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, CreateRemoteThread Common Process Injection, Wmiprvse Wrong Parent, Dynwrapx Module Loading, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, New Or Renamed User Account With '$' In Attribute 'SamAccountName', AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Execution From Suspicious Folder, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Possible RottenPotato Attack, EvilProxy Phishing Domain"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, PowerView commandlets 1, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Phosphorus Domain Controller Discovery, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Suspicious SAM Dump, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, Credential Dump Tools Related Files, Copying Browser Files With Credentials, RedMimicry Winnti Playbook Dropped File, Credential Dumping-Tools Common Named Pipes, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, TUN/TAP Driver Installation, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Suspicious Hostname, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Eventlog Cleared, Cookies Deletion, Secure Deletion With SDelete, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Audit CVE Event, Exploit For CVE-2015-1641, Antivirus Relevant File Paths Alerts, Suspicious New Printer Ports In Registry, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh Port Forwarding, Python Opening Ports, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious certutil command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Python HTTP Server"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious DLL Loaded Via Office Applications, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, SCM Database Privileged Operation, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan, Audit CVE Event"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Netscan Share Access Artefact, Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Abusing Azure Browser SSO, Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, TrustedInstaller Impersonation, Netsh RDP Port Opening, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable SecurityHealth, Disabled IE Security Features, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Python Opening Ports, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Microsoft Defender Antivirus Tampering Detected, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall, TrustedInstaller Impersonation, FLTMC command usage, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Suspect Svchost Memory Access, Address Space Layout Randomization (ASLR) Alteration, Powershell AMSI Bypass, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable SecurityHealth, Disabled IE Security Features, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Disable Security Events Logging Adding Reg Key MiniNt, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Mshta Suspicious Child Process, Suspicious Taskkill Command, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, In-memory PowerShell, Turla Named Pipes, Powershell Web Request, Detection of default Mimikatz banner, Alternate PowerShell Hosts Pipe, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, WMI DLL Loaded Via Office, Invoke-TheHash Commandlets, Mshta Suspicious Child Process, Suspicious Taskkill Command, WMImplant Hack Tool, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, In-memory PowerShell, MalwareBytes Uninstallation, Turla Named Pipes, Trickbot Malware Activity, Powershell Web Request, Detection of default Mimikatz banner, Alternate PowerShell Hosts Pipe, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Mustang Panda Dropper, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, Phorpiex DriveMgr Command, PowerShell Credential Prompt, Suspicious VBS Execution Parameter, PowerShell Malicious PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Suspicious Scripting In A WMI Consumer, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious DLL Loaded Via Office Applications, Malspam Execution Registering Malicious DLL, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, FromBase64String Command Line, Aspnet Compiler, Suspicious XOR Encoded PowerShell Command Line, Lazarus Loaders, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, Malicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Windows Update LolBins, Smss Wrong Parent, Windows Suspicious Service Creation, Winrshost Wrong Parent, Credential Dumping Tools Service Execution, Csrss Child Found, Check Point Harmony Mobile Application Forbidden, Winword wrong parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Wininit Wrong Parent, Smbexec.py Service Installation, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Suspicious PsExec Execution, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Exfiltration Via Pscp, Microsoft Defender Antivirus Threat Detected, Taskhost Wrong Parent, Gpscript Suspicious Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Malicious Service Installations, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent, Metasploit PSExec Service Creation"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL, Njrat Registry Values, Suspicious desktop.ini Action, NjRat Registry Changes, Kernel Module Alteration, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Malware Persistence Registry Key"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Chafer (APT 39) Activity, Csrss Child Found, Winword wrong parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Cobalt Strike Default Service Creation Usage, APT29 Fake Google Update Service Install, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, StoneDrill Service Install, Gpscript Suspicious Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Chafer (APT 39) Activity, Csrss Child Found, Winword wrong parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Cobalt Strike Default Service Creation Usage, APT29 Fake Google Update Service Install, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, StoneDrill Service Install, Gpscript Suspicious Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Windows Suspicious Service Creation, Winrshost Wrong Parent, Credential Dumping Tools Service Execution, Csrss Child Found, Winword wrong parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Wininit Wrong Parent, Smbexec.py Service Installation, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Suspicious PsExec Execution, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Gpscript Suspicious Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Malicious Service Installations, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent, Metasploit PSExec Service Creation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, FlowCloud Malware, Suspicious New Printer Ports In Registry, Chafer (APT 39) Activity, Ursnif Registry Key, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, NetNTLM Downgrade Attack, Disable Workstation Lock, RDP Port Change Using Powershell, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, DNS ServerLevelPluginDll Installation, Remote Registry Management Using Reg Utility, OceanLotus Registry Activity, Disable Security Events Logging Adding Reg Key MiniNt, RDP Sensitive Settings Changed, Blue Mockingbird Malware"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, SysKey Registry Keys Access, Suspicious Taskkill Command, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Unsigned Image Loaded Into LSASS Process, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Mimikatz Basic Commands, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Mimikatz LSASS Memory Access, Transfering Files With Credential Data Via Network Shares, Credential Dumping Tools Service Execution, Process Trace Alteration, Password Dumper Activity On LSASS, WCE wceaux.dll Creation, HackTools Suspicious Names, SAM Registry Hive Handle Request, Wdigest Enable UseLogonCredential, LSASS Access From Non System Account, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Cmdkey Cached Credentials Recon, Suspicious SAM Dump, RedMimicry Winnti Playbook Dropped File, Dumpert LSASS Process Dumper, Active Directory Database Dump Via Ntdsutil, Process Memory Dump Using Createdump, Impacket Secretsdump.py Tool, Lsass Access Through WinRM, LSASS Memory Dump File Creation, HackTools Suspicious Process Names In Command Line, Credential Dumping-Tools Common Named Pipes, Suspicious CommandLine Lsassy Pattern, LSASS Memory Dump, Copying Browser Files With Credentials, Load Of dbghelp/dbgcore DLL From Suspicious Process, DCSync Attack, Credential Dumping By LaZagne, Malicious Service Installations, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Unsigned Image Loaded Into LSASS Process, Dumpert LSASS Process Dumper, Credential Dumping-Tools Common Named Pipes, Suspicious CommandLine Lsassy Pattern, LSASS Access From Non System Account, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Load Of dbghelp/dbgcore DLL From Suspicious Process, Lsass Access Through WinRM, Mimikatz LSASS Memory Access, Credential Dumping Tools Service Execution, Credential Dumping By LaZagne, LSASS Memory Dump File Creation, Password Dumper Activity On LSASS, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, Dynwrapx Module Loading, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Malspam Execution Registering Malicious DLL, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, User Added to Local Administrators, Account Added To A Security Enabled Group, Denied Access To Remote Desktop, Admin User RDP Remote Logon"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI DLL Loaded Via Office, Invoke-TheHash Commandlets, WMImplant Hack Tool, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Admin Share Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, RDP Port Change Using Powershell, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, MMC20 Lateral Movement, MMC Spawning Windows Shell, Lsass Access Through WinRM, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, RDP Login From Localhost, Admin Share Access, Denied Access To Remote Desktop"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Werfault DLL Injection"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Windows Registry Persistence COM Search Order Hijacking, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Werfault DLL Injection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Enabling Restricted Admin Mode, Active Directory Replication User Backdoor, Mimikatz Basic Commands, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, User Added to Local Administrators, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Delegate To KRBTGT Service, Active Directory User Backdoors, Add User to Privileged Group"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, GPO Executable Delivery, Domain Trust Created Or Removed, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR High Threat, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Medium Threat, HarfangLab EDR Medium Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, HarfangLab EDR Critical Level Rule Detection, Suspicious DLL Loaded Via Office Applications, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR High Threat, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Medium Threat, HarfangLab EDR Medium Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, HarfangLab EDR Critical Level Rule Detection, Microsoft Defender Antivirus Threat Detected, Suspicious DLL Loaded Via Office Applications, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Dynwrapx Module Loading, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Mustang Panda Dropper, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Event Subscription, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Remote Task Creation Via ATSVC Named Pipe, Chafer (APT 39) Activity, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, DNS Tunnel Technique From MuddyWater, Covenant Default HTTP Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Chafer (APT 39) Activity, Suspicious LDAP-Attributes Used, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Cryptomining, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Kerberos Pre-Auth Disabled in UAC, Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Kerberos Ticket, Suspicious Outbound Kerberos Connection, Rubeus Register New Logon Process"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Malicious Named Pipe, Smss Wrong Parent, Process Hollowing Detection, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Dynwrapx Module Loading, MavInject Process Injection, CreateRemoteThread Common Process Injection, Cobalt Strike Named Pipes, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Process Herpaderping, Spoolsv Wrong Parent"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil, Credential Dump Tools Related Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: New Or Renamed User Account With '$' In Attribute 'SamAccountName', Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Legitimate Process Execution From Unusual Folder, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable, RTLO Character, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Possible RottenPotato Attack, EvilProxy Phishing Domain"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD User Enumeration, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde, Remote Privileged Group Enumeration, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 2"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, AdFind Usage, PowerView commandlets 2"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, SAM Registry Hive Handle Request, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Suspicious SAM Dump, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Potential DNS Tunnel, Powershell UploadString Function, TUN/TAP Driver Installation"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Eventlog Cleared, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Cookies Deletion, High Privileges Network Share Removal"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Antivirus Relevant File Paths Alerts, Download Files From Non-Legitimate TLDs, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Audit CVE Event, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Python Opening Ports, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, WMI DLL Loaded Via Office, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, SCM Database Privileged Operation, PowerView commandlets 2"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, AD Object WriteDAC Access, Linux Remove Immutable Attribute"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Netscan Share Access Artefact, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection, CreateRemoteThread Common Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
index c566580040..d981863d82 100644
--- a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Powershell Web Request, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Control Process, xWizard Execution, Empire Monkey Activity, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Windows Installer Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Mshta JavaScript Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Control Panel Items"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
index a874de7977..22f45d2be5 100644
--- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
index f1a7e09f66..281fcb0304 100644
--- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Suspicious Driver Loaded, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Suspicious Driver Loaded, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Microsoft Office Spawning Script, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Microsoft Office Creating Suspicious File, Linux Bash Reverse Shell, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Suspicious DNS Child Process, SolarWinds Suspicious File Creation, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Exfiltration Via Pscp, Rare Logonui Child Found, Rare Lsass Child Found, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, Csrss Child Found, Windows Update LolBins"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Suspicious DNS Child Process, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Rare Logonui Child Found, Rare Lsass Child Found, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, Csrss Child Found"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Outlook Child Process"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Rare Logonui Child Found, Rare Lsass Child Found, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, New Service Creation, Explorer Wrong Parent, Csrss Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Rare Logonui Child Found, Rare Lsass Child Found, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, New Service Creation, Explorer Wrong Parent, Csrss Child Found"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RDP Sensitive Settings Changed, FlowCloud Malware, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Kernel Module Alteration"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, FLTMC command usage, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Mshta Suspicious Child Process, Suspicious Taskkill Command, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Trickbot Malware Activity, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Windows Update LolBins, PsExec Process, Suspicious DNS Child Process, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Csrss Child Found, Searchprotocolhost Child Found, Winword wrong parent, Rare Lsass Child Found"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Suspicious DNS Child Process, Rare Logonui Child Found, Csrss Child Found, Searchprotocolhost Child Found, Winword wrong parent, Rare Lsass Child Found"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Csrss Child Found, Searchprotocolhost Child Found, Winword wrong parent, New Service Creation, Rare Lsass Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Csrss Child Found, Searchprotocolhost Child Found, Winword wrong parent, New Service Creation, Rare Lsass Child Found"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, RTLO Character, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, FlowCloud Malware, RDP Sensitive Settings Changed, Blue Mockingbird Malware"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
index f5ac65846c..79ce817a4a 100644
--- a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Suspicious Driver Loaded, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, Suspicious Driver Loaded, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Powershell Web Request, Python Offensive Tools and Packages, AutoIt3 Execution From Suspicious Folder, Microsoft Office Creating Suspicious File, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Control Process, xWizard Execution, Empire Monkey Activity, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Windows Installer Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RDP Sensitive Settings Changed, FlowCloud Malware, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable Workstation Lock"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity)"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Enabling Restricted Admin Mode"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Mshta JavaScript Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Cookies Deletion, High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, FlowCloud Malware, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Disable Workstation Lock"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
index 7d19f80562..c877ff4c4b 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Claroty xDome Network Threat Detection Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Claroty xDome Network Threat Detection Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
index 464974532d..da8ed37b82 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Cybereason EDR Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cybereason EDR Alert, Aspnet Compiler"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Cybereason EDR Alert"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Cybereason EDR Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Aspnet Compiler, Cybereason EDR Alert"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cybereason EDR Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
index d4394764d0..ab834694d4 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
index 994f15ebfe..fed4088a3c 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
index 571d367682..89e919d040 100644
--- a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, MalwareBytes Uninstallation, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, WMIC Uninstall Product, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Sekoia.io EICAR Detection, Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Commands Invocation, Suspicious Taskkill Command"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MavInject Process Injection, Control Panel Items, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Windows Installer Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Python HTTP Server, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, LokiBot Default C2 URL, Dynamic DNS Contacted, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, WMIC Uninstall Product, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Sekoia.io EICAR Detection, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Control Panel Items"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Control Panel Items"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, DNS Exfiltration and Tunneling Tools Execution, Cobalt Strike HTTP Default GET beaconing, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Python HTTP Server, Cryptomining, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Potential DNS Tunnel"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
index bcb61b18ba..390e654c2a 100644
--- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
index e5946084c2..c728b628bf 100644
--- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
index 0eced25530..120aa47c15 100644
--- a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
index 5870ccb48d..f57bbd4fcf 100644
--- a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Cryptomining, Covenant Default HTTP Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
index 1cdb88c692..257ede7f01 100644
--- a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
index 2049cac1b3..b732822035 100644
--- a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
index 35c32bf8a5..13263177ef 100644
--- a/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Juniper Networks Switches [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Juniper Networks Switches [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
index aafefdd946..c0515e49b7 100644
--- a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
index ebf29502ff..326f8699fa 100644
--- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Powershell Web Request, Python Offensive Tools and Packages, Microsoft Office Creating Suspicious File, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Exfiltration Via Pscp, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Control Process, xWizard Execution, Empire Monkey Activity, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious Windows Installer Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Enabling Restricted Admin Mode"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Cloud One Low Intrusion, Trend Micro Cloud One Medium Intrusion, SecurityScorecard Vulnerability Assessment Scanner - New Issues, Trend Micro Cloud One High Intrusion"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Mshta JavaScript Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Cookies Deletion, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Cloud One High Intrusion, Trend Micro Cloud One Medium Intrusion, SecurityScorecard Vulnerability Assessment Scanner - New Issues, Trend Micro Cloud One Low Intrusion"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
index fa39ad72d4..3cc0a0f00c 100644
--- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
index 98526c23d3..8eb9708322 100644
--- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Trellix Network Security Threat Notified, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Trellix Network Security Threat Blocked, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Trellix Network Security Threat Notified, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Trellix Network Security Threat Blocked, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
index 55b12848a9..d709eabd0b 100644
--- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Gatewatcher AionIQ Malware Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Gatewatcher AionIQ Malware Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
index 218910ac2b..f2bcc79909 100644
--- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
index c3d8cdf08c..d96c742743 100644
--- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
index aa9f9812fb..5df5a356e3 100644
--- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Raccine Uninstall, Suspicious Driver Loaded, Dism Disabling Windows Defender, WMIC Uninstall Product, SELinux Disabling, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Defender Deactivation Using PowerShell Script, Disabled Service, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Suspicious Driver Loaded, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, SELinux Disabling, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Defender Deactivation Using PowerShell Script, Powershell AMSI Bypass, Disabled Service, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, WMImplant Hack Tool, Invoke-TheHash Commandlets, PowerShell Credential Prompt, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Suspicious PowerShell Keywords, Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, Suspicious XOR Encoded PowerShell Command Line, PowerShell Commands Invocation, Microsoft Office Spawning Script, FromBase64String Command Line, Suspicious Cmd.exe Command Line, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Invocations - Generic, WMImplant Hack Tool, Aspnet Compiler, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, PowerShell Credential Prompt, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Socat Relaying Socket, Microsoft Defender Antivirus Threat Detected, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Python Offensive Tools and Packages, AutoIt3 Execution From Suspicious Folder, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Linux Bash Reverse Shell, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Wininit Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Process Memory Dump Using Createdump, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Names, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, WMI Install Of Binary, Blue Mockingbird Malware, Invoke-TheHash Commandlets, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Login From Localhost, MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Threat Detected, Microsoft Office Spawning Script, Suspicious Outlook Child Process"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Cron Files Alteration, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RDP Sensitive Settings Changed, FlowCloud Malware, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Disabling SmartScreen Via Registry, Disable Workstation Lock, Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Chafer (APT 39) Activity, Cryptomining, Sliver DNS Beaconing, Python HTTP Server"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Rubeus Register New Logon Process, Possible Replay Attack"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Phosphorus Domain Controller Discovery, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Ngrok Process Execution, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, NjRat Registry Changes, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, TrustedInstaller Impersonation, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Microsoft Defender Antivirus Disable SecurityHealth, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Microsoft Defender Antivirus Tampering Detected, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall, TrustedInstaller Impersonation, SELinux Disabling, FLTMC command usage, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Powershell AMSI Bypass, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Microsoft Defender Antivirus Disable SecurityHealth, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Mshta Suspicious Child Process, Suspicious Taskkill Command, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Mshta Suspicious Child Process, Suspicious Taskkill Command, WMImplant Hack Tool, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Trickbot Malware Activity, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, Socat Reverse Shell Detection, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, Phorpiex DriveMgr Command, PowerShell Credential Prompt, Suspicious VBS Execution Parameter, PowerShell Malicious PowerShell Commandlets, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Socat Relaying Socket, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, Suspicious Windows Script Execution, FromBase64String Command Line, Aspnet Compiler, Suspicious XOR Encoded PowerShell Command Line, Lazarus Loaders, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, Malicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, Interactive Terminal Spawned via Python, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Windows Update LolBins, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Exfiltration Via Pscp, Microsoft Defender Antivirus Threat Detected, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Chafer (APT 39) Activity, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Chafer (APT 39) Activity, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Invoke-TheHash Commandlets, WMImplant Hack Tool, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, RDP Login From Localhost, MMC Spawning Windows Shell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disabling SmartScreen Via Registry, Disable .NET ETW Through COMPlus_ETWEnabled, FlowCloud Malware, RDP Sensitive Settings Changed, Chafer (APT 39) Activity, Blue Mockingbird Malware, Disable Workstation Lock"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Chafer (APT 39) Activity, Suspicious Windows DNS Queries, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Spoolsv Wrong Parent"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, RTLO Character, Formbook Hijacked Process Command, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde, PowerView commandlets 2"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, AdFind Usage, PowerView commandlets 2"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Cookies Deletion, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Relaying Socket, SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, NjRat Registry Changes, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
index bb7841e34c..b76130caad 100644
--- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
index c880c56e38..bbc9a9db50 100644
--- a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
index fe260eccd3..9bbc4c9946 100644
--- a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
index 5c9b6f2636..f089eac25b 100644
--- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Mass Download By A Single User, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Double Extension, Suspicious Email Attachment Received, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Suspicious Double Extension, Microsoft 365 (Office 365) MCAS New Country, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Risky IP, Possible Malicious File Double Extension, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) MCAS Detection Velocity, Suspicious Email Attachment Received, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) Malware Filter Rule Deletion, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Microsoft 365 Authenticated Activity From Tor IP Address"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Microsoft 365 Authenticated Activity From Tor IP Address"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Microsoft 365 Device Code Authentication, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Mass Download By A Single User, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) MCAS Detection Velocity, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Double Extension, Suspicious Email Attachment Received, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Suspicious Email Attachment Received, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Possible Malicious File Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) MCAS Inbox Hiding, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) DLP Policy Removed, Suspicious Double Extension, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) MCAS Detection Velocity, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) AtpDetection, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Microsoft 365 Authenticated Activity From Tor IP Address"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Microsoft 365 Authenticated Activity From Tor IP Address"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
index 1eeda656c3..3eaa230d04 100644
--- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
index 1fa9643a46..301e41c9b7 100644
--- a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
index 440c24292c..4a9c27a56b 100644
--- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
index 75fd9ef8fa..9546b77c6a 100644
--- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
index 8cdce8ba2f..f47c6bf981 100644
--- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, Backup Catalog Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM ChangePassword, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail Disable MFA, AWS CloudTrail IAM CreateOpenIDConnectProvider, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail Important Change, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail KMS CMK Key Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Policy Changed, Password Change On Directory Service Restore Mode (DSRM) Account, AWS CloudTrail Root ConsoleLogin"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Disable MFA, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail Important Change, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM ChangePassword"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Policy Changed, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail S3 Bucket Replication"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail S3 Bucket Replication"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted, Backup Catalog Deleted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail Important Change, AWS CloudTrail IAM ChangePassword, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail Disable MFA, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail GuardDuty Detector Deleted, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail KMS CMK Key Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Policy Changed, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Password Policy Updated, Password Change On Directory Service Restore Mode (DSRM) Account, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Failed User Creation"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail Disable MFA, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail Important Change, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM ChangePassword, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
index 76e8774304..3b23b8a3d4 100644
--- a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
index 2a6d435890..10c388e0ad 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
index 69442a0c93..f35dee4395 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
index 1824db4fe9..abb8798429 100644
--- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
index 5102c799c2..f177ae5cf2 100644
--- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
index 2ee1b8d944..0658107c7d 100644
--- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Zscaler ZIA Malicious Threat, Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Zscaler ZIA Malicious Threat, Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Zscaler ZIA Malicious Threat, Download Files From Suspicious TLDs, Zscaler ZIA Suspicious Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Zscaler ZIA Malicious Threat, Download Files From Suspicious TLDs, Zscaler ZIA Suspicious Threat"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
index f786cde6cb..dd374c96c9 100644
--- a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
index 3776c72b3f..49d3afd59e 100644
--- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
index b790be18a6..ce760027d3 100644
--- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
index b38865821e..145d99c8b4 100644
--- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365 And Not Blocked, Spearphishing (W2 Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Malware Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Scam Detected By Vade For M365, Spam Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (CEO Fraud) Detected By Vade For M365"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spearphishing (CEO Fraud) Detected By Vade For M365, Malware Detected By Vade For M365, Spam Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Scam Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Lawyer Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
index b4810ebf19..15ff044185 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Deactivated, Okta Network Zone Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta MFA Disabled, Okta Blacklist Manipulations, Okta Network Zone Deleted, Okta Network Zone Modified, Okta Security Threat Configuration Updated, Okta Network Zone Deactivated"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Impersonation Access, Okta Application modified, Okta User Account Deactivated, Okta Admin Privilege Granted, Okta Application deleted"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Modified, Okta Network Zone Deactivated"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta MFA Disabled, Okta Blacklist Manipulations, Okta Network Zone Deleted, Okta Network Zone Modified, Okta Security Threat Configuration Updated, Okta Network Zone Deactivated"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Admin Privilege Granted, Okta User Account Deactivated, Okta Application modified, Okta User Impersonation Access, Okta Application deleted"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Okta Security Threat Detected"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
index becb1bf036..ccb5148569 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, SELinux Disabling, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, Dism Disabling Windows Defender, WMIC Uninstall Product, SELinux Disabling, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Powershell Web Request, Python Offensive Tools and Packages, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Exfiltration Via Pscp, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Ngrok Process Execution, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Powershell Web Request, Socat Reverse Shell Detection, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Socat Relaying Socket, Generic-reverse-shell-oneliner, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Interactive Terminal Spawned via Python, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, MavInject Process Injection, CertOC Loading Dll, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Cookies Deletion, High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Relaying Socket, SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
index 3e98631ff4..52daf2f89d 100644
--- a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
index ca89542fc1..b28e8990b0 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Aspnet Compiler"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Aspnet Compiler"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
index 8e68f0d77e..229e4c74e7 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
index 0ac5ec81a0..e2df9ff7ba 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
index c5fc8409a2..3e58648608 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
index 60e1d15520..0eae45a384 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
index c68be311ec..3a9477c53b 100644
--- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
index c7463b2d6f..5b4686ead9 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Suspicious Driver Loaded, Dism Disabling Windows Defender, WMIC Uninstall Product, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Fail2ban Unban IP, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Raccine Uninstall, FLTMC command usage, Dism Disabling Windows Defender, WMIC Uninstall Product, Suspicious Driver Loaded, Netsh Allow Command, Disabled IE Security Features, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Firewall Changes, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Lazarus Loaders, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Microsoft Office Spawning Script, Suspicious Cmd.exe Command Line, Aspnet Compiler, Sekoia.io EICAR Detection, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Threat Detected, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, AutoIt3 Execution From Suspicious Folder, Linux Bash Reverse Shell, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found, Windows Update LolBins"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Winword wrong parent, Rare Lsass Child Found, Taskhost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smss Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchprotocolhost Child Found"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: xWizard Execution, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Control Process, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Mshta JavaScript Execution, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Stormshield Ses Emergency Block, Winword Document Droppers, Stormshield Ses Critical Not Block, Stormshield Ses Critical Block, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Threat Detected, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, Suspicious Outlook Child Process"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RDP Sensitive Settings Changed, FlowCloud Malware, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Disabling SmartScreen Via Registry, Disable Workstation Lock, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cryptomining, Python HTTP Server"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, NjRat Registry Changes, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Netsh Port Opening, Netsh Allowed Python Program, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Microsoft Defender Antivirus Tampering Detected, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall, FLTMC command usage, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Clear EventLogs Through CommandLine, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Mshta Suspicious Child Process, Suspicious Taskkill Command, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Trickbot Malware Activity, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, PowerShell Commands Invocation, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Sysprep On AppData Folder, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Windows Update LolBins, Smss Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Exfiltration Via Pscp, Microsoft Defender Antivirus Threat Detected, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winlogon wrong parent, OneNote Suspicious Children Process, Smss Wrong Parent, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Suspicious DNS Child Process, PsExec Process, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Lsass Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, MOFComp Execution, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, AccCheckConsole Executing Dll"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Stormshield Ses Critical Not Block, Stormshield Ses Emergency Block, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Sysmon Windows File Block Executable, Stormshield Ses Critical Block"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Spoolsv Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Linux Suspicious Search"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Gpresult Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disabling SmartScreen Via Registry, Disable .NET ETW Through COMPlus_ETWEnabled, FlowCloud Malware, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Disable Workstation Lock"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, NjRat Registry Changes, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
index 59971be5a5..cf7f3cbb1b 100644
--- a/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x EfficientIP SOLIDServer DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: EfficientIP Suspicious Behavior"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x EfficientIP SOLIDServer DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: EfficientIP Suspicious Behavior"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
index 3e10e8a1df..c973eb82fe 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Aspnet Compiler"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Aspnet Compiler"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner - New Issues"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
index 99532ce58e..3f43831b8c 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
index 9095146820..c34ab0f2e4 100644
--- a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
index 026c0dafb8..4558450c4d 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Changelog _last update on 2024-08-28_
+Changelog _last update on 2024-08-29_
 
 ## Changelog
 
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
index 9b3edb6149..8ddecc38ef 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Rules catalog includes **940 built-in detection rules** ([_last update on 2024-08-28_](rules_changelog.md)).
+Rules catalog includes **942 built-in detection rules** ([_last update on 2024-08-29_](rules_changelog.md)).
 ## Reconnaissance
 **Gather Victim Identity Information**
 
@@ -208,6 +208,12 @@ Rules catalog includes **940 built-in detection rules** ([_last update on 2024-0
 ## Resource Development
 **Acquire Infrastructure**
 
+??? abstract "Login Brute-Force Successful On ArubaOS Switch"
+    
+    A user has attempted to login several times (brute-force) on ArubaOS switch and succeeded to login.
+    
+    - **Effort:** advanced
+    
 ??? abstract "Login Brute-Force Successful On AzureAD From Single IP Address"
     
     A user has attempted to login several times (brute-force) on AzureAD and succeeded to login, all from the same source IP address and in a timerange of 5 minutes.
@@ -353,6 +359,12 @@ Rules catalog includes **940 built-in detection rules** ([_last update on 2024-0
     
 **Compromise Infrastructure**
 
+??? abstract "Login Brute-Force Successful On ArubaOS Switch"
+    
+    A user has attempted to login several times (brute-force) on ArubaOS switch and succeeded to login.
+    
+    - **Effort:** advanced
+    
 ??? abstract "Login Brute-Force Successful On AzureAD From Single IP Address"
     
     A user has attempted to login several times (brute-force) on AzureAD and succeeded to login, all from the same source IP address and in a timerange of 5 minutes.
@@ -6072,6 +6084,12 @@ Rules catalog includes **940 built-in detection rules** ([_last update on 2024-0
     
     - **Effort:** advanced
     
+??? abstract "Daspren Parad Malicious Behavior"
+    
+    Detects when Daspren Parad kills a process with a malicious behavior.
+    
+    - **Effort:** master
+    
 ??? abstract "Dynwrapx Module Loading"
     
     Detects the loading of DynamicWrapperX (Dynwrapx). It is used by some malware in their infection chain and could help to detect its usage from vbs/wscript/cscript scripts. This is based on Microsoft Windows Sysmon events (Event ID 7).
@@ -7798,6 +7816,12 @@ Rules catalog includes **940 built-in detection rules** ([_last update on 2024-0
     
     - **Effort:** advanced
     
+??? abstract "Daspren Parad Malicious Behavior"
+    
+    Detects when Daspren Parad kills a process with a malicious behavior.
+    
+    - **Effort:** master
+    
 ??? abstract "Dynwrapx Module Loading"
     
     Detects the loading of DynamicWrapperX (Dynwrapx). It is used by some malware in their infection chain and could help to detect its usage from vbs/wscript/cscript scripts. This is based on Microsoft Windows Sysmon events (Event ID 7).
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.md
index 767e5f3ae9..c4727779c9 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.md
@@ -51,6 +51,12 @@ The following Sekoia.io built-in rules match the intake **Daspren Parad [BETA]**
     
     - **Effort:** advanced
 
+??? abstract "Daspren Parad Malicious Behavior"
+    
+    Detects when Daspren Parad kills a process with a malicious behavior.
+    
+    - **Effort:** master
+
 ??? abstract "Exfiltration And Tunneling Tools Execution"
     
     Execution of well known tools for data exfiltration and tunneling
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.md
index 33e0582023..4f5d57aeaa 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.md
@@ -1 +1,274 @@
-No related built-in rules was found. This message is automatically generated.
+### Related Built-in Rules
+
+The following Sekoia.io built-in rules match the intake **Google Cloud Load Balancing [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+
+[SEKOIA.IO x Google Cloud Load Balancing [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json){ .md-button }
+??? abstract "CVE-2018-11776 Apache Struts2"
+    
+    Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
+    
+    - **Effort:** intermediate
+
+??? abstract "CVE-2018-13379 Fortinet Exploit"
+    
+    Detects the successful exploitation of the Fortinet FortiOS CVE-2018-13379. This CVE is one of the most exploited CVEs since 2018. It is exploited by APT threat actors as well as cybercriminals. The exploitation of this CVE lead an unauthenticated user to get full access to FortiOS system file through SSL VPN via specially crafted HTTP resource requests. The exploit read /dev/cmdb/sslvpn_websession file, that contains login and passwords in (clear/text). An HTTP response status code = 200, means the file was successfully accessed. This vulnerability affects FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4.
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2019-0604 SharePoint"
+    
+    Detects the exploitation of the SharePoint vulnerability (CVE-2019-0604).
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2019-11510 Pulse Secure Exploit"
+    
+    Detects the successful exploitation of the Pulse Secure vulnerability CVE-2019-11510. This CVE is one of the most exploited CVEs since 2019. It is exploited by diverse threat actors, leading sometimes in ransomware deployement among these groups: Maze, Conti, Egregor, DoppelPaymer, NetWalker and REvil. But also APT actors such as APT29. The exploitation of this CVE allows a remote, unauthenticated attacker to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server. The exploit reads /etc/passwd file to get access to login and passwords in (clear/text). An HTTP response status code = 200, means the file was successfully accessed. This vulnerability affects 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 products.
+    
+    - **Effort:** elementary
+
+??? abstract "CVE-2019-19781 Citrix NetScaler (ADC)"
+    
+    Detects CVE-2019-19781 exploitation attempt against Citrix NetScaler (ADC), Application Delivery Controller and Citrix Gateway Attack.
+    
+    - **Effort:** elementary
+
+??? abstract "CVE-2019-2725 Oracle Weblogic Exploit"
+    
+    Detects the successful exploitation of a deserialization vulnerability in Oracle Weblogic Server, CVE-2019-2725. This vulnerability affects versions 10.X and 12.1.3 of WebLogic that have the components wls9_async_response.war and wls-wsat.war enabled. It is a remote code execution which can be exploited without authentication via HTTP. An HTTP response status code = 202, means the target is vulnerable, the analyst then has to look in depth to check if a webshell has been uploaded or something else has been done.
+    
+    - **Effort:** elementary
+
+??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit"
+    
+    Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA.
+    
+    - **Effort:** elementary
+
+??? abstract "CVE-2020-1147 SharePoint"
+    
+    Detection of SharePoint vulnerability CVE-2020-1147.
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2020-14882 Oracle WebLogic Server"
+    
+    Detects the exploitation of the Oracle WebLogic Server vulnerability (CVE-2020-16952).
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2020-17530 Apache Struts RCE"
+    
+    Detects the exploitation of the Apache Struts RCE vulnerability (CVE-2020-17530).
+    
+    - **Effort:** intermediate
+
+??? abstract "CVE-2020-5902 F5 BIG-IP Exploitation Attempts"
+    
+    Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902.
+    
+    - **Effort:** elementary
+
+??? abstract "CVE-2021-20021 SonicWall Unauthenticated Administrator Access"
+    
+    Detects the exploitation of SonicWall Unauthenticated Admin Access.
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2021-20023 SonicWall Arbitrary File Read"
+    
+    Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data.
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2021-21972 VMware vCenter"
+    
+    The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). POST request on the following PATH "/ui/vropspluginui/rest/services/uploadova". If in response body (500) the words it has "uploadFile", that means the vCenter is available to accept files via POST without any restrictions.
+    
+    - **Effort:** intermediate
+
+??? abstract "CVE-2021-21985 VMware vCenter"
+    
+    The VMware vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.0 before 7.0 U2b, 6.7 before 6.7 U3n and 6.5 before 6.5 U3p) and VMware Cloud Foundation (4.x before 4.2.1 and 3.x before 3.10.2.1).
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2021-22123 Fortinet FortiWeb OS Command Injection"
+    
+    Detects Fortinet FortiWeb OS Command Injection (August 2021) vulnerability exploitation attempt. A remote, authenticated attacker can execute arbitrary commands on the system hosting a vulnerable FortiWeb WAF by sending a POST request with the command in the name field. At the time of writing this rule, it would appear that the request would respond in code 500 for a successful exploitation attempt.
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"
+    
+    Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product.
+    
+    - **Effort:** intermediate
+
+??? abstract "CVE-2021-26855 Exchange SSRF"
+    
+    Detects the exploitation of ProyxLogon vulerability on Exchange servers.
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2021-34473 ProxyShell Attempt"
+    
+    Detects CVE-2021-34473 ProxyShell attempt against Microsoft Exchange Server, Remote Code Execution Vulnerability.
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2021-41773 Apache 2.4.49 Path Traversal"
+    
+    Detects successful exploitation of the Apache Path Traversal CVE-2021-41773.
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2021-43798 Grafana Directory Traversal"
+    
+    Grafana version 8.x has a 0day arbitrary file read (with no fix yet) based on a directory traversal vulnerability
+    
+    - **Effort:** intermediate
+
+??? abstract "Cryptomining"
+    
+    Detection of domain names potentially related to cryptomining activities.
+    
+    - **Effort:** master
+
+??? abstract "Detect requests to Konni C2 servers"
+    
+    This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September.
+    
+    - **Effort:** elementary
+
+??? abstract "Download Files From Suspicious TLDs"
+    
+    Detects download of certain file types from hosts in suspicious TLDs
+    
+    - **Effort:** master
+
+??? abstract "Dynamic DNS Contacted"
+    
+    Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
+    
+    - **Effort:** master
+
+??? abstract "Exfiltration Domain"
+    
+    Detects traffic toward a domain flagged as a possible exfiltration vector.
+    
+    - **Effort:** master
+
+??? abstract "FoggyWeb HTTP Default GET/POST Requests"
+    
+    Detects GET or POST request pattern observed within the first FoggyWeb campaign detected by Microsoft.
+    
+    - **Effort:** advanced
+
+??? abstract "GitLab CVE-2021-22205"
+    
+    Detects GitLab vulnerability CVE-2021-22205 exploitation success. It allows an attacker to do some remote code execution with user git. The HTTP return code 422 indicates a successfull exploitation.
+    
+    - **Effort:** intermediate
+
+??? abstract "Koadic MSHTML Command"
+    
+    Detects Koadic payload using MSHTML module
+    
+    - **Effort:** intermediate
+
+??? abstract "LokiBot Default C2 URL"
+    
+    Detects default C2 URL for trojan LokiBot
+    
+    - **Effort:** elementary
+
+??? abstract "Nimbo-C2 User Agent"
+    
+    Nimbo-C2 Uses an unusual User-Agent format in its implants.
+    
+    - **Effort:** intermediate
+
+??? abstract "Possible Malicious File Double Extension"
+    
+    Detects request to potential malicious file with double extension
+    
+    - **Effort:** elementary
+
+??? abstract "Potential Bazar Loader User-Agents"
+    
+    Detects potential Bazar loader communications through the user-agent
+    
+    - **Effort:** elementary
+
+??? abstract "Potential Lemon Duck User-Agent"
+    
+    Detects LemonDuck user agent. The format used two sets of alphabetical characters separated by dashes, for example "User-Agent: Lemon-Duck-[A-Z]-[A-Z]".
+    
+    - **Effort:** elementary
+
+??? abstract "Potential LokiBot User-Agent"
+    
+    Detects potential LokiBot communications through the user-agent
+    
+    - **Effort:** intermediate
+
+??? abstract "Privilege Escalation Awesome Scripts (PEAS)"
+    
+    Detect PEAS privileges escalation scripts and binaries
+    
+    - **Effort:** elementary
+
+??? abstract "ProxyShell Microsoft Exchange Suspicious Paths"
+    
+    Detects suspicious calls to Microsoft Exchange resources, in locations related to webshells observed in campaigns using this vulnerability.
+    
+    - **Effort:** elementary
+
+??? abstract "Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"
+    
+    Detects Raccoon Stealer 2.0 malware downloading legitimate third-party DLLs from its C2 server. These legitimate DLLs are used by the information stealer to collect data on the compromised hosts.
+    
+    - **Effort:** elementary
+
+??? abstract "Remote Access Tool Domain"
+    
+    Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
+    
+    - **Effort:** master
+
+??? abstract "SEKOIA.IO Intelligence Feed"
+    
+    Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
+    
+    - **Effort:** elementary
+
+??? abstract "Sekoia.io EICAR Detection"
+    
+    Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
+    
+    - **Effort:** master
+
+??? abstract "SharePoint Authenticated SSRF"
+    
+    Detects succesful SSRF from an authenticated SharePoint user.
+    
+    - **Effort:** elementary
+
+??? abstract "Suspicious Download Links From Legitimate Services"
+    
+    Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.
+    
+    - **Effort:** intermediate
+
+??? abstract "Suspicious URI Used In A Lazarus Campaign"
+    
+    Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised.
+    
+    - **Effort:** intermediate
+
+??? abstract "TOR Usage Generic Rule"
+    
+    Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
+    
+    - **Effort:** master
diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
index 91f02e9d6e..3c899a3ca4 100644
--- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md
+++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
@@ -1,6 +1,6 @@
 # Built-in detection rules, EventIDs and EventProviders relations
 SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture.
-This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-08-28_
+This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-08-29_
 
 The colors of the EventIDs in this page should be interpreted as follow: